Beruflich Dokumente
Kultur Dokumente
Preface
1
___________________
Description
SIMATIC NET
___________________
Security recommendation 2
___________________
Technical basics 3
Industrial Ethernet Security
SCALANCE S615 Configuring with Web Based
___________________
Management 4
Web Based Management
___________________
Upkeep and maintenance 5
Configuration Manual
___________________
Appendix A A
01/2019
C79000-G8976-C388-07
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.
DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.
WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.
CAUTION
indicates that minor personal injury can result if proper precautions are not taken.
NOTICE
indicates that property damage can result if proper precautions are not taken.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions.
Qualified personnel are those who, based on their training and experience, are capable of identifying risks and
avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:
WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended
or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be complied with. The information in the relevant documentation must be observed.
Trademarks
All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.
Security information
Siemens provides products and solutions with industrial security functions that support the
secure operation of plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is
necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial
security concept. Siemens’ products and solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems,
machines and networks. Such systems, machines and components should only be
connected to an enterprise network or the internet if and to the extent such a connection is
necessary and only when appropriate security measures (e.g. firewalls and/or network
segmentation) are in place.
For additional information on industrial security measures that may be implemented, please
visit https://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more
secure. Siemens strongly recommends that product updates are applied as soon as they are
available and that the latest product versions are used. Use of product versions that are no
longer supported, and failure to apply the latest updates may increase customers’ exposure
to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS
Feed under https://www.siemens.com/industrialsecurity.
Firmware
The firmware is signed and encrypted. This ensures that only firmware created by Siemens
can be downloaded to the device.
License conditions
Note
Open source software
Read the license conditions for open source software carefully before using the product.
You will find license conditions in the following documents on the supplied data medium:
● M87x, M81x, M826, M804PB, S615: OSS_Scalance-M-800-S615_86.pdf
Trademarks
The following and possibly other names not identified by the registered trademark sign ® are
registered trademarks of Siemens AG:
SCALANCE, SINEMA, KEY-PLUG, C-PLUG
Preface ................................................................................................................................................... 3
1 Description ............................................................................................................................................ 13
1.1 Function ..................................................................................................................................13
1.2 Configuration examples ..........................................................................................................15
1.2.1 TeleControl with SINEMA RC .................................................................................................15
1.2.2 Secure access with S615 .......................................................................................................17
1.3 Requirements for operation ....................................................................................................18
1.3.1 Use in a PROFINET environment ...........................................................................................19
1.4 System functions .....................................................................................................................20
1.5 Configuration limits for WBM and CLI .....................................................................................22
1.6 Configuration limits for SINEMA RC .......................................................................................24
1.7 PLUG ......................................................................................................................................25
1.7.1 C-PLUG and KEY-PLUG ........................................................................................................25
1.7.2 PRESET PLUG .......................................................................................................................26
2 Security recommendation...................................................................................................................... 27
3 Technical basics ................................................................................................................................... 33
3.1 Structure of an IPv4 address ..................................................................................................33
3.2 ICMP .......................................................................................................................................35
3.3 VLAN .......................................................................................................................................37
3.3.1 VLAN .......................................................................................................................................37
3.3.2 VLAN tagging ..........................................................................................................................38
3.4 SNMP ......................................................................................................................................40
3.5 Security functions ....................................................................................................................43
3.5.1 User management ..................................................................................................................43
3.5.2 Firewall ....................................................................................................................................45
3.5.2.1 Firewall ....................................................................................................................................45
3.5.3 NAT .........................................................................................................................................49
3.5.4 NAT and firewall ......................................................................................................................50
3.5.5 Certificates ..............................................................................................................................53
3.5.6 VPN .........................................................................................................................................54
3.5.6.1 IPsec VPN ...............................................................................................................................54
3.5.6.2 OpenVPN ................................................................................................................................58
3.5.6.3 VPN connection establishment ...............................................................................................59
3.6 Redundancy ............................................................................................................................63
3.6.1 Spanning Tree ........................................................................................................................63
3.6.1.1 RSTP.......................................................................................................................................64
3.6.2 VRRPv3 ..................................................................................................................................65
4 Configuring with Web Based Management ............................................................................................ 67
Configuration
Configuration of all parameters using the
● Web Based Management (WBM) via HTTP and HTTPS.
● Command Line Interface (CLI) via Telnet and SSH.
Security functions
● Router with NAT function
– IP masquerading
– NAPT
– SourceNAT
– NETMAP
● Password protection
● Firewall function
– Port forwarding
– IP firewall with stateful packet inspection (layer 3 and 4)
– Global and user-defined firewall rules
● VPN functions
To establish a VPN (Virtual Private Network), the following functions are available
– IPsec VPN
– OpenVPN client
● SINEMA RC client
● Proxy server
● Siemens Remote Service (SRS)
Other functions
● Time-of-day synchronization
– NTP client and NTP server
– Secure NTP server
– SIMATIC Time Client
– SNTP Client
● DHCP
– DHCP server (local network)
– DHCP client
● Virtual networks (VLAN)
To structure Industrial Ethernet networks with a fast growing number of nodes, a physical
network can be divided into several virtual subnets
● Digital input/digital output
● Dynamic DNS client
● DNS client / DNS proxy
● SMTP client
● TIA Portal Cloud Connector (SCALANCE M804PB)
Procedure
To be able to access a plant via a remote maintenance master station, follow the steps
below:
1. Establish the Ethernet connection between the S615 and the connected Admin PC.
2. Create the devices and node groups on the SINEMA RC Server.
3. Configure the connection to the SINEMA RC server on the device, refer to the section
SINEMA RC (Page 212).
4. Set up the connected applications of the plant for data communication.
Power supply
A power supply with a voltage between 12 VDC and 24 VDC that can provide sufficient
current.
You will find further information on this in the device-specific operating instructions.
Configuration
In the factory settings, the SCALANCE S615 can be reached as follows for initial
configuration:
You will find more information in "Web Based Management (Page 67)" and in "Starting and
logging in (Page 69)".
Note
Validity of CCA declaration
The CCA declaration applies to PROFINET RT without the use in media redundancy
structures.
Configuration information
When using the device in a PROFINET environment, follow the following configuration
instructions:
● Set the "Aging Time" to 45 seconds.
● Disable Spanning Tree and enable Passive Listening.
SCALANCE
S615
Basic Wizard IP settings ✓
Device Settings ✓
Time settings ✓
SINEMA RC 1) ✓
DDNS ✓
Information ARP Table ✓
Log Tables ✓
VRRPv3 Statistics ✓
Redundancy ✓
SINEMA RC 1) ✓
System SMTP client ✓
SNMP ✓
Time setting ✓
Automatic logout ✓
Syslog client ✓
Fault Monitoring ✓
PLUG ✓
SMS ✓
DNS ✓
DHCP Client ✓
DHCP Server ✓
cRSP/SRS ✓
Proxy Server ✓
SINEMA RC1) ✓
Interfaces Ethernet ✓
PPP ✓
SCALANCE
S615
Layer 2 Configuration ✓
VLAN ✓
Dynamic MAC aging ✓
Spanning Tree ✓
LLDP ✓
Layer 3 Static routes ✓
Subnets ✓
NAT ✓
VRRPv3 ✓
Security User ✓
Passwords ✓
AAA (Authentication, Authori- ✓
zation, Accounting)
Certificates ✓
Firewall ✓
IPsec VPN ✓
OpenVPN ✓
1) KEY-PLUG SINEMA Remote Connect 6GK5908-0PB00
1.7 PLUG
How it works
The C-PLUG or KEY-PLUG is used to transfer the configuration of the old device to the new
device when a device is replaced.
NOTICE
Do not remove or insert a C-PLUG / KEY-PLUG during operation!
A PLUG may only be removed or inserted when the device is turned off.
The device checks whether or not a PLUG is present at one second intervals. If it is
detected that the PLUG was removed, there is a restart.
If a valid KEY-PLUG was inserted in the device, the device changes to a defined error state
following the restart.
When the new device starts up with the PLUG, it then continues automatically with exactly
the same configuration as the old device. One exception to this can be the IP configuration if
it is set over DHCP and the DHCP server has not been reconfigured accordingly.
A reconfiguration is necessary if you use functions based on MAC addresses.
If an incorrect PLUG, for example from another product or a damaged PLUG is inserted, the
device signals an error with the "F" LED.
You can either remove the PLUG again or select the option to reformat the PLUG.
In terms of the PLUG, devices work in two modes:
● Without PLUG
The device stores the configuration in internal memory. This mode is active when no
PLUG is inserted.
● With PLUG
The configuration stored on the PLUG is displayed in WBM in "Information > PLUG". If
changes are made to the configuration, the device stores the configuration directly on the
PLUG and in the internal memory. This mode is active as soon as a PLUG is inserted. As
soon as the device is started with a PLUG inserted, the device starts up with the
configuration data on the PLUG.
Note
Using configurations with DHCP
Create a PRESET-PLUG only from device configurations that use DHCP. Otherwise
disruptions will occur in network operation due to multiple identical IP addresses.
You assign fixed IP addresses extra following the basic installation.
Note
Restore factory defaults and restart with a PRESET PLUG inserted
If you reset a device to the factory defaults, when the device restarts an inserted PRESET
PLUG is formatted and the PRESET PLUG functionality is lost. You then need to create a
new PRESET PLUG.
We recommend that you remove the PRESET PLUG before you reset the device to the
factory settings.
For more detailed information on creating and using a PRESET PLUG refer to the section
Device configuration with PRESET-PLUG (Page 311).
General
● You should make regular checks to make sure that the device meets these
recommendations and/or other security guidelines.
● Evaluate your plant as a whole in terms of security. Use a cell protection concept with
suitable products:
Link: (https://www.industry.siemens.com/topics/global/en/industrial-
security/pages/default.aspx)
● When the internal and external network are disconnected, an attacker cannot access
internal data from the outside. Therefore operate the device only within a protected
network area.
● Use VPN to encrypt and authenticate communication from and to the devices.
● For data transmission via a non-secure network use an encrypted VPN tunnel (IPsec,
Open VPN).
● Separate connections correctly (WBM. Telnet, SSH etc.).
Physical access
● Limit physical access to the device to qualified personnel.
The memory card or the PLUG (C-PLUG, KEY-PLUG) contains sensitive data such as
certificates, keys etc. that can be read out and modified.
● Lock unused physical ports on the device. Unused ports can be used to gain forbidden
access to the plant.
● Use a central logging server to log changes and accesses. Operate your logging server
within the protected network area and check the logging information regularly.
● We recommend formatting a PLUG that is not being used.
Passwords
● Define rules for the use of devices and assignment of passwords.
● Regularly update passwords and keys to increase security.
● Change all default passwords for users before you operate the device.
● Only use passwords with a high password strength. Avoid weak passwords for example
password1, 123456789, abcdefgh.
● Make sure that all passwords are protected and inaccessible to unauthorized personnel.
● Do not use the same password for different users and systems or after it has expired.
Secure/non-secure protocols
● Avoid or disable non-secure protocols, for example Telnet and TFTP. For historical
reasons, these protocols are still available, however not intended for secure applications.
Use non-secure protocols on the device using a secure connection (e.g. SINEMA RC).
● Avoid or disable non-secure protocols. Check whether use of the following protocols is
necessary:
– Telnet
– HTTP
– Broadcast pings
– Non authenticated and unencrypted interfaces
– ICMP (redirect)
– LLDP
– Syslog
– DHCP Options 66/67
– SNTP
– NTP
– TFTP
– TIA Portal Cloud Connector
● The following protocols provide secure alternatives:
– SNMPv1/v2 → SNMPv3
Check whether use of SNMPv1 is necessary. SNMPv1 is classified as non-secure.
Use the option of preventing write access. The product provides you with suitable
setting options.
If SNMP is enabled, change the community names. If no unrestricted access is
necessary, restrict access with SNMP.
– HTTP → HTTPS
– Telnet → SSH
– NTP → Secure NTP
– SNTP → Secure NTP
– TFTP → SFTP
– TIA Portal Cloud Connector using a secure connection.
Use the "TIA Portal Cloud Connector" integrated in the product over a VPN solution
(e.g. SINEMA RC).
Configure the firewall settings of the SCALANCE M800/S615 (e.g. predefined IPv4
rules "Cloud Connector" to prevent unauthorized access of network devices to the
"TIA Portal Cloud Connector Server").
● Use secure protocols when access to the device is not prevented by physical protection
measures.
Address classes
An IP address consists of 4 bytes. Each byte is represented in decimal, with a dot separating
it from the previous one. This results in the following structure, where XXX stands for a
number between 0 and 255:
XXX.XXX.XXX.XXX
The IP address is made up of two parts, the network ID and the host ID. This allows different
subnets to be created. Depending on the bytes of the IP address used as the network ID and
those used for the host ID, the IP address can be assigned to a specific address class.
Subnet mask
The bits of the host ID can be used to create subnets. The leading bits represent the address
of the subnet and the remaining bits the address of the host in the subnet.
A subnet is defined by the subnet mask. The structure of the subnet mask corresponds to
that of an IP address. If a "1" is used at a bit position in the subnet mask, the bit belongs to
the corresponding position in the IP address of the subnet address, otherwise to the address
of the computer.
Example of a class B network:
The standard subnet address for class B networks is 255.255.0.0; in other words, the last
two bytes are available for defining a subnet. If 16 subnets must be defined, the third byte of
the subnet address must be set to 11110000 (binary notation). In this case, this results in the
subnet mask 255.255.240.0.
To find out whether two IP addresses belong to the same subnet, the two IP addresses and
the subnet mask are ANDed bit by bit. If both logic operations have the save result, both IP
addresses belong to the same subnet, for example, 141.120.246.210 and 141.120.252.108.
Outside the local area network, the distinction between network ID and host ID is of no
significance, in this case packets are delivered based on the entire IP address.
Note
In the bit representation of the subnet mask, the "ones" must be set left-justified; in other
words, there must be no "zeros" between the "ones".
3.2 ICMP
The acronym ICMP stands for Internet Control Message Protocol (RFC792) and is used to
exchange error and information messages.
● Error message
Informs the sender of the IP frame that when forwarding the frame an error or a
parameter problem occurred.
● Information message
Can contain information about the time measurement, the address mask, the reachability
of the destination or for finding the router.
0 4 8 12 16 20 24 28 31
ICMP packet type Code Checksum
Type of message Further details of the
message
Data (optional)
Host A wants to send an IP frame to host C. Host C is not located in the same subnet as
host A. For this reason host A sends the IP frame to its default gateway. The default gateway
of host A is interface 1 of router A. Router A cannot forward the IP frame because it does not
know the destination network. Via its routing table, however, router A knows that subnet C is
reachable via router B. Router B connects subnet A with subnet C. Router A sends a redirect
message to host A. In this, router A instructs host A in future to send IP frames to host C via
router B whose IP address is contained in the redirect message. The initial IP frame is sent
by router A directly to router B that forwards it to Host C.
3.3 VLAN
3.3.1 VLAN
P1 to P4 vlan1
For access from the local network (LAN) to the
device
P5 vlan2
For access from the external network (WAN) to
the device
You can change the assignment in "Layer 2 > VLAN > General (Page 225)".
The VLANs are in different IP subnets. To allow these to communicate with each other, the
route and firewall rule must be configured on the device.
Note
The VLAN tag increases the permitted total length of the frame from 1518 to 1522 bytes.
The end nodes on the networks must be checked to find out whether they can process this
length / this frame type. If this is not the case, only frames of the standard length may be
sent to these nodes.
The additional 4 bytes are located in the header of the Ethernet frame between the source
address and the Ethernet type / length field:
The additional bytes contain the tag protocol identifier (TPID) and the tag control information
(TCI).
The tagged frame has 3 bits for the priority that is also known as Class of Service (CoS), see
also IEEE 802.1Q.
The prioritization of the data packets is possible only if there is a queue in the components in
which they can buffer data packets with lower priority.
The device has multiple parallel queues in which the frames with different priorities can be
processed. As default, first, the frames with the highest priority are processed. This method
ensures that the frames with the highest priority are sent even if there is heavy data traffic.
Canonical Format Identifier (CFI)
The CFI is required for compatibility between Ethernet and the token Ring.
The values have the following meaning:
Value Meaning
0 The format of the MAC address is canonical. In the canonical representation of the MAC
address, the least significant bit is transferred first. Standard-setting for Ethernet switches.
1 The format of the MAC address is not canonical.
VLAN ID
In the 12-bit data field, up to 4096 VLAN IDs can be formed. The following conventions
apply:
VLAN ID Meaning
0 The frame contains only priority information (priority tagged frames) and no valid
VLAN identifier.
1- 4094 Valid VLAN identifier, the frame is assigned to a VLAN and can also include priori-
ty information.
4095 Reserved
3.4 SNMP
Introduction
With the aid of the Simple Network Management Protocol (SNMP), you monitor and control
network components from a central station, for example routers or switches. SNMP controls
the communication between the monitored devices and the monitoring station.
Tasks of SNMP:
● Monitoring of network components
● Remote control and remote parameter assignment of network components
● Error detection and error notification
In versions v1 and v2c, SNMP has no security mechanisms. Each user in the network can
access data and also change parameter assignments using suitable software.
For the simple control of access rights without security aspects, community strings are used.
The community string is transferred along with the query. If the community string is correct,
the SNMP agent responds and sends the requested data. If the community string is not
correct, the SNMP agent discards the query. Define different community strings for read and
write permissions. The community strings are transferred in plain text.
Standard values of the community strings:
● public
has only read permissions
● private
has read and write permissions
Note
Because the SNMP community strings are used for access protection, do not use the
standard values "public" or "private". Change these values following the initial
commissioning.
SNMP data packets are not encrypted and can easily be read by others.
The central station is also known as the management station. An SNMP agent is installed on
the devices to be monitored with which the management station exchanges data.
The management station sends data packets of the following type:
● GET
Request for a data record from the SNMP agent
● GETNEXT
Calls up the next data record.
● GETBULK (available as of SNMPv2c)
Requests multiple data records at one time, for example several rows of a table.
● SET
Contains parameter assignment data for the relevant device.
The SNMP agent sends data packets of the following type:
● RESPONSE
The SNMP agent returns the data requested by the manager.
● TRAP
If a certain event occurs, the SNMP agent itself sends traps.
SNMPv1/v2c/v3 use UDP (User Datagram Protocol) and use the UDP ports 161 and 162.
The data is described in a Management Information Base (MIB).
SNMPv3
Compared with the previous versions SNMPv1 and SNMPv2c, SNMPv3 introduces an
extensive security concept.
SNMPv3 supports:
● Fully encrypted user authentication
● Encryption of the entire data traffic
● Access control of the MIB objects at the user/group level
With the introduction of SNMPv3 you can no longer transfer user configurations to other
devices without taking special action, e.g. by loading a configuration file or replacing the C-
PLUG.
According to the standard, the SNMPv3 protocol uses a unique SNMP engine ID as an
internal identifier for an SNMP agent. This ID must be unique in the network. It is used to
authenticate access data of SNMPv3 users and to encrypt it.
Depending on whether you have enabled or disabled the “SNMPv3 User Migration” function,
the SNMP engine ID is generated differently.
Restriction when using the function
Use the "SNMPv3 User Migration" function only to transfer configured SNMPv3 users to a
substitute device when replacing a device.
Do not use the function to transfer configured SNMPv3 users to multiple devices. If you load
a configuration with created SNMPv3 users on several devices, these devices use the same
SNMP engine ID. If you use these devices in the same network, your configuration
contradicts the SNMP standard.
Compatibility with predecessor products
You can only transfer SNMPv3 users to a different device if you have created the users as
migratable users. To create a migratable user the "SNMPv3 User Migration" function must
be activated when you create the user.
Local logon
The local logging on of users by the device runs as follows:
1. The user logs on with user name and password on the device.
2. The device checks whether an entry exists for the user.
→ If an entry exists, the user is logged in with the rights of the associated role.
→ If no corresponding entry exists, the user is denied access.
– The RADIUS server reports a successful authentication and returns a different or even
no value to the device for the attribute "Service Type".
→ The user is logged in with read rights.
– The RADIUS server reports a failed authentication to the device:
→ The user is denied access.
Case B: The RADIUS server reports a successful authentication but does not return a
group to the device.
– The user is entered in the table "External User Accounts":
→ The user is logged in with the rights of the linked role "".
– The user is not entered in the table "External User Accounts":
→ The user is logged in with the rights of the role "Default".
Case C: The RADIUS server reports a failed authentication to the device:
– The user is denied access.
3.5.2 Firewall
3.5.2.1 Firewall
The security functions of the device include a stateful inspection firewall. This is a method of
packet filtering or packet checking.
The IP packets are checked based on firewall rules in which the following is specified:
● The permitted protocols
● IP addresses and ports of the permitted sources
● IP addresses and ports of the permitted destinations
If an IP packet fits the specified parameters, it is allowed to pass through the firewall. The
rules also specify what is done with IP packets that are not allowed to pass through the
firewall.
Simple packet filter techniques require two firewall rules per connection.
● One rule for the query direction from the source to the destination.
● A second rule for the response direction from the destination to the source
Note
IP packets via layer 2 (within the same VLAN)
If the IP packets from the device are sent via a switch port (layer 2), these IP packets are not
checked based on firewall rules. The firewall has no effect on packets forwarded at the layer
2 level.
Communication directions
from to Meaning
vlan x vlan x Access from IP subnet vlan x to IP subnet vlan x.
Example:
vlan1 (INT) → vlan2 (EXT)
Access from the local IP subnet to the external IP subnet.
ppp2 Access from the IP subnet to the WAN interface of the device.
Device Access from the IP subnet to the device.
SINEMA RC Access from the IP subnet to the SINEMA RC connection.
IPsec (all) Access from the IP subnet to the VPN tunnel partners that can be
IPsec <Connection reached via all VPN connections (all) or via a certain VPN connection
Name> <Connection Name>.
OpenVPN (all)
OpenVPN <Connec-
tion Name>
Device vlan x Access from the device to the IP subnet.
ppp2 Access from the device to the WAN interface of the device.
SINEMA RC Access from the device to the SINEMA RC connection.
IPsec (all) Access from the device to the tunnel partners that can be reached via all
IPsec <Connection VPN connections (all) or via a certain VPN connection (<Connection
Name> Name>).
OpenVPN (all)
OpenVPN <Connec-
tion Name>
SINEMA RC vlan x Access from SINEMA RC connections to the IP subnet.
ppp2 Access from the IP subnet to the WAN interface of the device.
Device Access from SINEMA RC connections to the device.
IPsec (all) Access from the SINEMA RC server to the VPN tunnel partners that can
IPsec <Connection be reached via all VPN connections (all) or via a certain VPN connection
Name> <Connection Name>.
OpenVPN (all)
OpenVPN <Connec-
tion Name>
from to Meaning
IPsec (all) vlan x Access via VPN tunnel partners to the IP subnet.
IPsec <Connection ppp2 Access from the IP subnet to the WAN interface of the device.
Name> Device Access via VPN tunnel partners to the device.
OpenVPN (all)
SINEMA RC Access via VPN tunnel partners to the SINEMA RC connection.
OpenVPN <Connec-
tion Name>
ppp0/usb vlan x Access from the mobile wireless interface to the IP subnet.
Device Access from the mobile wireless interface to the device.
SINEMA RC Access from the mobile wireless interface to the SINEMA RC connection.
IPsec (all) Access from the mobile wireless interface to the VPN tunnel partners that
IPsec <Connection can be reached via all VPN connections (all) or via a certain VPN con-
Name> nection <Connection Name>.
OpenVPN (all)
OpenVPN <Connec-
tion Name>
Service Access
Local access (vlan1) to the External access (vlan2) to the
device device 1)
Cloud Connector (only with Yes -
M804PB)
DHCP Yes Yes (only for S615)
DNS Yes No
HTTP Yes No
HTTPS Yes No
IPsec VPN No Yes
Ping Yes No
SMS relay (only with M87x) Yes No
SNMP Yes No
SSH Yes No
System time Yes No
Telnet Yes No
1) SCALANCE M826 and M804PB are only available in vlan1 when delivered (factory setting).
SINEMA RC
● Telegrams from internal to external are permitted.
● Telegrams from external to internal are permitted.
● The following telegrams are allowed from external to the device:
– ICMP Echo Request
– SSH
– HTTPS
IPsec VPN
● Telegrams from internal to external are permitted.
● Telegrams from external to internal are permitted.
● Allow ICMP echo request from external to the device.
OpenVPN Client
● Telegrams from internal to external are permitted.
● Telegrams from external to internal are permitted.
● Telegrams from the device to external are permitted.
● Allow ICMP echo request from external to the device.
3.5.3 NAT
NAT (Network Address Translation) is a method of translating IP addresses in data packets.
With this, two different networks (internal and external) can be connected together.
A distinction is made between source NAT in which the source IP address is translated and
destination NAT in which the destination IP address is translated.
You will find information on NAT scenarios that are implemented with the device at the
following address: (https://support.industry.siemens.com/cs/gb/en/view/109744660)
IP masquerading
IP masquerading is a simplified source NAT. With each outgoing data packet sent via this
interface, the source IP address is replaced by the IP address of the interface. The adapted
data packet is sent to the destination IP address. For the destination host it appears as if the
queries always came from the same sender. The internal nodes cannot be reached directly
from the external network. By using NAPT, the services of the internal nodes can be made
reachable via the external IP address of the device.
IP masquerading can be used if the internal IP addresses cannot or should not be forwarded
externally, for example because the internal network structure should remain hidden.
You configure masquerading in "Layer 3" > "NAT" > "IP Masquerading (Page 247)".
NAPT
NAPT (Network Address and Port Translation) is a form of destination NAT and is often
called port forwarding. This allows the services of the internal nodes to be reached from
external that are hidden by IP masquerading or source NAT.
Incoming data packets are translated that come from the external network and are intended
for an external IP address of the device (destination IP address). The destination IP address
is replaced by the IP address of the internal node. In addition to address translation, port
translation is also possible.
The options are available for port translation:
from to Response
a single port the same port If the ports are the same, the frames will be forwarded without port
translation.
a single port a single port The frames are translated to the port.
a port range a single port The frames from the port range are translated to the same port
(n:1).
a port range the same port If the port ranges are the same, the frames will be forwarded with-
range out port translation.
Port forwarding can be used to allow external nodes access to certain services of the internal
network e.g. FTP, HTTP.
You configure NAPT in "Layer 3" > "NAT" > "NAPT (Page 247)".
Source NAT
As with masquerading, in source NAT the source address is translated. In addition to this,
the outgoing data packets can be restricted. These include limitation to certain IP addresses
or IP address ranges and limitation to certain interfaces.
Source NAT can be used if the internal IP addresses cannot or should not be forwarded
externally, for example because a private address range such as 192.168.x.x is used.
You configure source NAT in "Layer 3" > "NAT" > "Source NAT (Page 249)".
NETMAP
With NETMAP it is possible to translate complex subnets to a different subnet. In this
translation, the subnet part of the IP address is changed and the host part remains. For
translation with NETMAP only one rule is required. NETMAP can translate both the source
IP address and the destination IP address. To perform the translation with destination NAT
and source NAT, numerous rules would be necessary. NETMAP can also be applied to VPN
connections.
You configure NETMAP in "Layer 3" > "NAT" > "NETMAP (Page 252)".
NAT rule
Type Source Destination Source IP Sub- Source IP Destination IP Translated destination
Interface Interface net translated subnet Subnet IP
① Source vlan1 vlan2 192.168.1.0/24 10.100.1.0/24 10.10.10.0/24 -
(internal) (external)
The rule applies to packets sent from vlan1 (internal) to vlan2 (external). With the packets that arrive at vlan1 there is a
check to establish whether the rule applies.
If the source IP address in the subnet of the sender (Source IP subnet) and the destination IP address in the subnet of
the recipient (Source IP subnet), the source IP address is replaced by the suitable IP address from the "Translated
source IP subnet". The subnet part of the source IP address is changed and the host part remains unchanged.
A packet, for example with the source IP address 192.168.1.102 is changed to 10.100.1.102. For the devices connect-
ed to vlan2 it appears as if the packets were sent from the IP subnet 10.100.1.0/24. This allows for example overlaps of
IP subnets to be resolved. The rule is only specified for the send direction. The retranslation is performed implicitly. If
the rule does not apply, the packets are forwarded without translation.
② Destina- vlan2 vlan1 10.10.10.0/24 - 10.100.1.0/24 192.168.1.0/24
tion (external) (internal)
The rule applies to packets sent from vlan2 (external) to vlan1 (internal). With the packets that arrive at vlan2 there is a
check to establish whether the rule applies.
If the source IP address in the subnet of the sender (Source IP subnet) and the destination IP address in the subnet of
the recipient (Source IP subnet), the source IP address is replaced by the suitable IP address from the "Translated
destination IP subnet".
A packet, for example with the source IP address 10.10.10.102 is changed to 192.168.1.102. The devices connected to
vlan1 can communicate with the devices connected to vlan2. This assumes that the corresponding firewall rule is set.
The devices connected to vlan2 must address the devices connected to vlan1 with the virtual IP address from the sub-
net 10.100.1.0.
Example 2:
These IP rules restrict the IP data traffic to a specific device.
3.5.5 Certificates
Certificate types
The device uses different certificates to authenticate the various nodes.
File types
3.5.6 VPN
The device supports the following VPN systems
● IPsec VPN
● OpenVPN
Authentication method
● CA certificate, device and partner certificate (digital signatures)
The use of certificates is an asymmetrical cryptographic system in which every node
(device) has a pair of keys. Each node has a secret, private key and a public key of the
partner. The private key allows the device to authenticate itself and to generate digital
signatures.
● Pre-shared key
The use of a pre-shared key is a symmetrical cryptographic system. Each node has only
one secret key for decryption and encryption of data packets. The authentication is via a
common password.
Encryption methods
The following encryption methods are supported. The selection depends on the phase und
the key exchange method (IKE)
Phase 1 Phase 2
IKEv1 IKEv2 IKEv1 IKEv2
3DES x x x x
AES128 CBC x x x x
AES192 CBC x x x x
AES256 CBC x x x x
AES128 CTR - x x x
AES192 CTR - x x x
AES256 CTR - x x x
AES128 CCM 16 - x x x
AES192 CCM 16 - x x x
AES256 CCM 16 - x x x
AES128 GCM 16 - x x x
AES192 GCM 16 - x x x
AES256 GCM 16 - x x x
x: is supported
-: is not supported
Default Ciphers
During connection establishment a preset list can be transferred to the VPN connection
partners. The list contains combinations of the three algorithms (Encryption, Authentication,
Key Derivation). To establish a VPN connection, the VPN connection partner must support at
least one of these combinations. The combinations depend on the phase und the key
exchange method IKE).
3.5.6.2 OpenVPN
With OpenVPN, virtual private networks (VPN) can be established. As an OpenVPN client,
the device can establish a VPN connection to a remote network.
You configure the OpenVPN client in "Security" > " OpenVPN Client (Page 304)".
The VPN connection is established via virtual device drivers, the TAP and TUN device.
During this, virtual network interfaces are created that act like a physical interface of the
device and represent the endpoint of the VPN tunnel.
The device supports the following:
● TUN device: Routing mode
The LAN Interface and the virtual network interface are located in different IP subnets.
The virtual tunnel interface is assigned a virtual IP address from a devised subnet by the
OpenVPN server. The IP packets (layer 3) are routed between the virtual tunnel interface
and the LAN interface.
Authentication method
● Certificates: CA certificate and device certificate
The use of certificates is an asymmetrical cryptographic system. Each node (device) has
a secret, private key and a public key of the partner. The private key allows the device to
authenticate itself and to generate digital signatures.
● User name / password
Access is restricted by a user name and a password.
Encryption methods
The device also supports the following methods:
● BF CBC
● AES128 CBC
● AES192 CBC
● AES256 CBC
● DES EDE3
Requirement
● In "System > Events > Configuration" for the "Digital Input" event "VPN Tunnel" is
activated.
If this setting is not activated, the event is not passed on to the VPN connection.
Options
The device supports the following options for controlling the VPN tunnel via the digital input:
● start on DI
If the event "Digital Input" occurs, the device becomes "active". The device tries to
establish a VPN connection to a remote station (OpenVPN, IPsec, SINEMA RC).
● Wait on DI
If the event "Digital Input" occurs, the device becomes "passive". The device waits for the
partner to initiate the connection.
Notification options
If the status of the digital input or a VPN tunnel (IPsec, OpenVPN, SINEMA RC) changes,
the device provides several options for notification on the "Events (Page 146)" page.
Note
You can control the digital output directly via CLI or SNMP. In the WBM and CLI, you can
configure the use of the digital output in "Events". Do not control the digital output directly
when you use this in the WBM and CLI.
3.6 Redundancy
3.6.1.1 RSTP
3.6.2 VRRPv3
How it works
The device has an integrated HTTP server for Web Based Management (WBM). If a device
is addressed with a Web browser, it returns HTML pages to the Admin PC depending on the
user input.
The user enters the configuration data in the HTML pages sent by the device. The device
evaluates this information and generates reply pages dynamically.
Access via HTTPS is enabled in the factory setting. With access via HTTP, the address is
automatically redirected to HTTPS.
If you wish to access the WBM via an HTTP connection, you need to select "HTTP &
HTTPS" for "HTTP Services" in "System > Configuration".
Requirements
WBM display
● The device has an IP address.
● There is a connection between the device and the Admin PC.
With the Windows ping command, you can check whether or not a connection exists.
If the device has the factory settings, refer to "Requirements for operation (Page 18)".
● Access via HTTPS is enabled.
● JavaScript is activated in the Web browser.
● The Web browser must not be set so that it reloads the page from the server each time
the page is accessed. The updating of the dynamic content of the page is ensured by
other mechanisms.
In the Internet Explorer, you can make the appropriate setting in the "Options > Internet
Options > General" menu in the section "Browsing history" with the "Settings" button.
Under "Check for newer versions of stored pages:", select "Automatically".
Note
Compatibility view
In Microsoft Internet Explorer, disable the compatibility view to ensure correct display
and to allow problem-free configuration using WBM.
– Mozilla Firefox 57
– Google Chrome V62
Note
Information on the security certificate
Because the device can only be administered using encrypted access, it is delivered with
a self-signed certificate. If certificates with signatures that the operating system does not
know are used, a security message is displayed. You can display the certificate.
3. If there is a connection to the device, the login page of Web Based Management (WBM)
is displayed.
If you wish to access the WBM via an HTTP connection, configure "HTTP & HTTPS" for
"HTTP Services" in "System > Configuration".
Changing language
1. From the drop-down list at the top right, select the language version of the WBM pages.
2. Click the "Go" button to change to the selected language.
Logging in to WBM
1. "Name" input box:
– When you log in for the first time or following a "Restore Factory Defaults and Restart",
enter the user preset in the factory "admin".
With this user account, you can change the settings of the device (read and write
access to the configuration data).
– Enter the user name of the created user account. You configure local user accounts
and roles in "Security > Users".
2. "Password" input box:
– When you log in for the first time or following a "Restore Factory Defaults and Restart",
enter the password of the default user preset in the factory "admin": "admin".
– Enter the password of the relevant user account.
3. Click the "Login" button or confirm your input with "Enter".
Note
When you log in for the first time or following a "Restore Factory Defaults and Restart",
you can rename the "admin" user preset in the factory once. Afterwards, renaming
"admin" is no longer possible. Enter the new name in the corresponding input box.
When you log in for the first time or following a "Restore Factory Defaults and Restart",
you will be prompted to change the password.
The new password must meet the password policy "High":
– Password length: At least 8 characters, maximum 128 characters
– At least 1 uppercase letter
– At least 1 special character (special characters § and ß are not permitted)
– At least 1 number
You need to repeat the password as confirmation. The password entries must match.
4. Click the "Set Values" button to complete the action.
The changes take immediate effect. Access via DCP is write-protected after the admin
password is changed. The network parameters can be read with the Primary Setup Tool
or with "DCP Discovery", but can no longer be changed.
Once you have logged in successfully, the start page appears.
Introduction
With the Basic Wizard, menus guide you through the configuration of the most important
parameters. On the Basic Wizard pages, you can only configure the parameters important
for the basic functionality. You make further settings when you have finished with the Basic
Wizard.
Requirement
● The device has an IP address and can be reached via the Ethernet interface.
● You are logged on in the WBM as a user with administrator rights.
● When shipped or following a "Restore Factory Defaults and Restart" the device can be
reached with the values preset in the factory. For more detailed information, refer to the
section "Requirements for operation (Page 18)".
Button Description
Goes to the next page
Navigation within the pages of the Basic Wizard is possible only with the "Previous" and
"Next" buttons.
4.3.2 IP
Introduction
One of the basic steps in configuration of a device is setting the IPv4 address. The IP
address identifies a device in the network uniquely.
Description
The Basic Wizard page contains the following boxes:
● Internal (vlan1)
In this area make the settings for connection to the LAN.
– IP Address
Enter the IPv4 address of the interface that is unique within your network.
– Subnet Mask
Enter the subnet mask of the subnet you are creating.
● External (vlan2)
In this area make the settings for connection to the WAN.
– DHCP
When enabled the interface receives the IPv4 address from a DHCP server.
– IP Address
Enter the IPv4 address of the interface.
– Subnet Mask
Enter the subnet mask of the subnet you are creating. Subnets on different interfaces
must not overlap.
– DHCP (Gateway)
If the DHCP server transmits an IP address for a gateway, this is displayed here.
● Create new gateway
You define the gateway in this area.
– IP Address
Enter the IP address of the default gateway to be able to communicate with devices in
another subnet.
4.3.3 Device
Introduction
On this Basic Wizard page, you configure the general device information.
Description
The Basic Wizard page contains the following boxes:
● System Name
You can enter the name of the device. If you configure this box, this configuration is
adopted and displayed in the selection area. A maximum of 255 characters are possible.
The system name is also displayed in the CLI input prompt. The number of characters in
the CLI input prompt is limited. The system name is truncated after 16 characters.
● Device Location
You can enter the location where the device is installed. The location is displayed in the
selection area. A maximum of 255 characters are possible.
Note
Permitted characters
The following printable ASCII characters (0x20 to 0x7) are permitted in the input fields:
• 0123456789
• A...Z a...z
• !"#$%&'()*+,-./:;<=>?@ [\]_{|}~^`
● System Contact
You can enter a contact person responsible for managing the device. A maximum of 255
characters are possible.
Time setting
On this Basic Wizard page, you set the date and time of the system.
Description
Manual time setting:
● Time Manually
Enable or disable manual setting of the time. If you enable the option, the "System Time"
input box can be edited.
● System Time
Enter the date and time in the format "MM/DD/YYYY HH:MM:SS".
After a restart, the time of day begins at 01/01/2000 00:00:00
● Use PC Time
Click the button to use the time setting of the PC.
4.3.5 DDNS
On this Basic Wizard page, you configure the dynamic DNS client (DDNS client). The DDNS
client synchronizes the assigned IP address with the hostname registered at the DDNS
provider. This means that the device can always be reached using the same hostname.
Description
The table has the following columns:
● Service
Shows which providers are supported.
● Enabled
When enabled, the device logs on to the DDNS server.
● Host
Enter the hostname that you have agreed with your DDNS provider for the device, e.g.
example.no-ip-com.
● User Name
Enter the user name with which the device logs on to the DDNS server.
● Password
Enter the password assigned to the user.
● Password Confirmation
Confirm the password.
4.3.6 SINEMA RC
On this Basic Wizard page, you configure the access to the SINEMA RC server.
Note
This function can only be used with a KEY PLUG (Page 25).
Description
The Basic Wizard page contains the following boxes:
● Enable SINEMA RC
– Enabled:
A connection to the configured SINEMA RC Server is established. These boxes
cannot be edited.
– Disabled:
The boxes can be edited. Any existing connection is terminated.
"Server settings" area
● SINEMA RC Address
Enter the IPv4 address or the DNS host name of the SINEMA RC Server.
● SINEMA RC Port
Enter the port via which the SINEMA RC Server can be reached.
"Server Verification" area
● Verification Type
– Fingerprint: The identity of the server is verified based on the fingerprint.
– CA certificate: The identity of the server is verified based on the CA certificate.
● Fingerprint
Only necessary with the setting "Fingerprint". Enter the fingerprint of the device. The
fingerprint is assigned during commissioning of the SINEMA RC Server. Based on the
fingerprint, the device checks whether the correct SINEMA RC Server is involved. You
will find further information on this in the Operating Instructions of the SINEMA RC
Server.
● CA Certificate
Only necessary with the setting "CA Certificate". Select the CA certificate of the server
used to sign the server certificate. Only loaded CA certificates can be selected.
"Device Credentials" area
● Device ID
Enter the device ID. The device ID is assigned when configuring the device on the
SINEMA RC Server. You will find further information on this in the Operating Instructions
of the SINEMA RC Server.
● Device Password
Enter the password with which the device logs on to the SINEMA RC Server. The
password is assigned when configuring the device on the SINEMA RC Server. You will
find further information on this in the Operating Instructions of the SINEMA RC Server.
● Device Password Confirmation
Repeat the password.
4.3.7 Summary
Introduction
The settings are summarized on this page. The content of the page depends on the set
parameters and the device.
Check the settings before you exit the Basic Wizard with the "Set Values" button. If settings
are incorrect, go back using the "Prev" button and change the settings to the required ones.
Set Values
Click the "Set Values" button to exit the Basic Wizard. The settings are adopted.
● Printer
When you click this button, a pop-up window opens with a view of the page content
optimized for the printer.
● Favorites
When the product ships, the button is disabled on all pages .
If you click this button, the symbol changes and the currently open page or currently
open tab is marked as favorite. Once you have enabled the button once, the navigation
area is divided into two tabs. The first tab "Menu" contains all the available menus as
previously. The second tab "Favorites" contains all the pages/tabs that you selected as
favorites. On the "Favorites" tab the pages/tabs are arranged according to the structure in
the "Menu" tab.
If you disable all the favorites you have created, the "Favorites" tab is removed again.
You can save, upload and delete the favorites configuration of a device on the "System >
Load&Save" page using HTTP or TFTP.
● Update on / Update off
WBM pages with overview lists can also have the additional "Update" button.
With this button, you can enable or disable updating of the content area. If updating is
turned on, the display is updated every 2 seconds. To disable the update, click "On".
Instead of "On", "Off" is displayed. As default, updating is always enabled on the WBM
page.
● DDNS Status
If a dynamic DNS service is used, the host name of the device is displayed, e.g.
example.no-ip.com. The status of the update is also displayed.
– update successful
Update successful
– update failed
Update unsuccessful
– status unknown
Status unknown
● Fault Status Fault status of the device
Note
If you click the "Refresh" button, before you have transferred your configuration changes
to the device using the "Set Values" button, your changes will be deleted and the
previous configuration will be loaded from the device and displayed here.
Note
Changing configuration data is possible only with the "admin" role.
Note
The changes take immediate effect. But it takes some time for the changes in the
configuration to be stored.
displayed on a page is limited. Click the "Next" button to page down through the data
records.
● Page back with "Prev"
On WBM pages with a lot of data records, the number of data records that can be
displayed on a page is limited. Click the "Prev" button to page back through the data
records.
● Delete the display with "Clear"
In pages with sequence logs, you can delete all table entries at the same time regardless
of whether filters are selected. The display is cleared in this process. The restart counter
is only reset after you have restored the device to the factory settings and restarted the
device.
Click the "Clear" button to completely delete the data record.
● Button "Show all"
You can show all entries in pages with a large number of data records. Click "Show all" to
display all entries on the page. Note that displaying all messages can take some time.
● Drop-down list for page change
In pages with a large number of data records, you can navigate to the desired page.
From the drop-down list, select the relevant page to display it.
● "Reset Counters" button
Click "Reset Counters" to reset all counters. The counters are reset by a restart.
Logout
You can log out from any WBM page by clicking the "Logout" link.
Messages
If you have enabled the "Automatic Save" mode and you change a parameter the following
message appears in the display area "Changes will be saved automatically in x seconds.
Click 'Write Startup Config' to save the changes immediately."
Note
Interrupting the save
Saving starts only after the timer in the message has elapsed. How long saving takes
depends on the device.
During the save, the message "Saving configuration data in progress. Please do not switch
off the device" is displayed.
• Do not switch off the device immediately after the timer has elapsed.
4.4.2 Versions
This WBM page shows the versions of the hardware and software of the device.
Description
Table 1 has the following columns:
● Hardware
– Basic Device
Shows the basic device
● Name
Shows the name of the device.
● Revision
Shows the hardware version of the device.
● Order ID
Shows the article number of the device.
● Software
– Firmware
Shows the current firmware version. If a new firmware file was downloaded and the
device has not yet restarted, the firmware version of the downloaded firmware file is
displayed here. After the next restart, the loaded firmware is activated and used.
– Bootloader
Shows the version of the boot software stored on the device.
– Firmware_Running
Shows the firmware version currently being used on the device.
● Description
Shows the short description of the software.
● Version
Shows the version number of the software version.
● Date
Shows the date on which the software version was created.
● Location tag
Shows the location tag of the device. The location identifier (LID) is created during
configuration of the device with HW Config of STEP 7.
● Date
Shows the date created during configuration of the device with HW Config of STEP 7.
● Descriptor
Shows the description created during configuration of the device with HW Config of
STEP 7.
Description
The table has the following columns:
● Interface
Shows the interface via which the row entry was learnt.
● MAC Address
Shows the MAC address of the destination or source device.
● IP Address
Shows the IPv4 address of the destination device.
● Media Type
Shows the type of connection.
– Dynamic
The device recognized the address data automatically.
– Static
The addresses were entered as static addresses.
Logging events
The WBM page shows the system events that have occurred in the form of a table. Some of
the system events can be configured in "System > Events", for example if the connection
status of a port has changed.
The content of the table is retained even when the device is turned off. The event log file can
be loaded using HTTP, TFTP or SFTP.
Description
● Severity Filters
You can filter the entries in the table according to severity. To display all the entries,
enable or disable all parameters.
Note
For each severity, a maximum of 400 entries in the table are possible. If the maximum
number of entries is reached for a severity, the oldest entries of this severity are
overwritten in the table. The table remains permanently in the memory.
– Critical
Critical
When this parameter is enabled, all entries of the category "Critical" are displayed.
– Warning
warning
When this parameter is enabled, all entries of the category "Warning" are displayed.
– Info
Informative
When this parameter is enabled, all entries of the category "Info" are displayed.
The table has the following columns:
● Restart
Counts the number of restarts since you last reset to factory settings and shows the
device restart after which the corresponding event occurred.
● System Up Time
Shows the time the device has been running since the last restart when the described
event occurred.
● System Time
Shows the date and time when the described event occurred. If no system time is set, the
box displays "Date/time not set".
● Severity
Sorts the entry into the categories above.
● Log Message
Displays a brief description of the event that has occurred.
Description
● Severity Filters
You can filter the entries in the table according to severity. To display all the entries,
enable or disable all parameters.
Note
For each severity, a maximum of 400 entries in the table are possible. If the maximum
number of entries is reached for a severity, the oldest entries of this severity are
overwritten in the table. The table remains permanently in the memory.
– Critical
Critical
When this parameter is enabled, all entries of the category "Critical" are displayed.
– Warning
warning
When this parameter is enabled, all entries of the category "Warning" are displayed.
– Info
Informative
When this parameter is enabled, all entries of the category "Info" are displayed.
The table has the following columns:
● Restart
Counts the number of restarts since you last reset to factory settings and shows the
device restart after which the corresponding event occurred.
● System Up Time
Shows the time the device has been running since the last restart when the described
event occurred.
● System Time
Shows the date and time when the described event occurred. If no system time is set, the
box displays "Date/time not set".
● Severity
Sorts the entry into the categories above.
● Log Message
Displays a brief description of the event that has occurred.
Description
● Severity Filters
You can filter the entries in the table according to severity. To display all the entries,
enable or disable all parameters.
Note
For each severity, a maximum of 400 entries in the table are possible. If the maximum
number of entries is reached for a severity, the oldest entries of this severity are
overwritten in the table. The table remains permanently in the memory.
– Critical
Critical
When this parameter is enabled, all entries of the category "Critical" are displayed.
– Warning
warning
When this parameter is enabled, all entries of the category "Warning" are displayed.
– Info
Informative
When this parameter is enabled, all entries of the category "Info" are displayed.
4.4.6 Faults
Error status
if an error occurs, it is shown on this page. On the device, errors are indicated by red fault
LED lighting up.
Internal errors of the device and errors that you configure on the following pages are
indicated:
● "System > Events"
● "System" > Fault Monitoring"
The calculation of the time of an error always begins after the last system start. If there are
no errors present, the fault LED switches off.
Description
● No. of Signaled Faults
Indicates how often the fault LED lit up and not how many faults occurred.
● Reset Counters button
The number is reset with this button. The counter is reset when there is a restart.
The table contains the following columns:
● Fault Time
Shows the time the device has been running since the last system restart when the
described error/fault occurred.
● Fault Description
Displays a brief description of the fault/error that has occurred.
● Clear Fault State
Some faults can be acknowledged and thus removed from the fault list, e.g. a fault of the
event "Cold/Warm Start". If the "Clear Fault State" button is enabled, you can delete the
error.
● Identification Method
Shows the method with which the DHCP client is identified.
– Remote ID
Shows the remote ID of the DHCP client.
– Circuit ID
Shows the circuit ID of the DHCP client.
– DUID
Shows the DUID of the DHCP client.
● Identification Value
Shows the value that is assigned to the identification method.
● Allocation Method
Shows whether the IPv4 address was assigned statically or dynamically. You configure
the static entries in "System > DHCP > Static Leases".
● Binding State
Shows the status of the assignment.
– Associated
The assignment is used.
– not used
The assignment is not used.
– probing
The assignment is being checked.
– unknown
The status of the assignment is unknown.
● Expire Time
Shows how long the assigned IPv4 address is still valid. When half the period of validity
has elapsed. the DHCP client can extend the period of the assigned IPv4 address. When
the entire time has elapsed, the DHCP client needs to request a new IPv4 address.
4.4.8 SNMP
This page displays the created SNMPv3 groups. You configure the SNMPv3 groups in
"System > SNMP".
Description
The table has the following columns:
● Group Name
Shows the group name.
● User Name
Shows the user that is assigned to the group.
4.4.9 LLDP
Description
The table contains the following columns:
● System Name
Displays the system name of the connected device.
● Device ID
Shows the device ID of the connected device. The device ID corresponds to the device
name assigned via PST (STEP 7). If no device name is assigned, the MAC address of
the device is displayed.
● Local Interface
Shows the port at which the device received the information.
● Hold Time
An entry remains stored on the device for the time specified here. If the IE switch does
not receive any new information from the connected device during this time, the entry is
deleted.
● Capability
Shows the properties of the connected device:
– Router
– Bridge
– Telephone
– DOCSIS Cable Device
– WLAN Access Point
– Repeater
– Station
– Other
● Port ID
Shows the port of the device with which the device is connected.
Introduction
This page shows the routes currently being used.
Description
The table has the following columns:
● Destination Network
Shows the destination address of this route.
● Subnet Mask
Shows the subnet mask of this route.
● Gateway
Shows the gateway for this route.
● Interface
Shows the interface for this route.
● Metric
Shows the metric of the route. The higher value, the longer packets require to their
destination.
● Routing Protocol
Shows the routing protocol from which the entry in the routing table originates. The
following entries are possible:
– Connected: Connected routes
– Static: Static routes
– DHCP: Routes via DHCP
4.4.12 SINEMA RC
Shows information on SINEMA RC Server.
Note
This function can only be used with a KEY PLUG.
● GSM Number
If configured, the phone number of the device is displayed.
● Vendor
If configured, the entry is displayed.
● Comment
If configured, the comment is displayed.
● Type of Connection (Server)
Shows which type of connection is set on the SINEMA RC Server.
● Type of Connection (Device)
Shows which type of connection is set on the device.
● Fingerprint
Shows the fingerprint of the server certificate. Is only displayed when the fingerprint is
used for verification.
● Remote Address
Shows the IP address of the SINEMA RC Server.
● Connected Local Subnet(s)
Shows the IP addresses of the local subnets. Is only displayed when the option
"Connected local subnets" is enabled on the SINEMA RC Server. You will find further
information on this in the Operating Instructions of the SINEMA RC Server.
● Connected Local Host (s)
Shows the destination IP address of the hosts that can be reached.
● Tunnel Interface Address
Shows the IP address of the virtual tunnel interface.
● Connected Remote Subnet(s)
Shows the subnets of the SINEMA RC Server that are reachable for the device. Which
subnets are reachable for the device depends on the communications relations on the
SINEMA RC Server. You will find further information on this in the Operating Instructions
of the SINEMA RC Server.
4.4.14 Redundancy
4.4.14.1 Overview
MSTP-CIST configuration
The page consists of the following parts.
● The left-hand side of the page shows the configuration of the device.
● The right-hand part shows the configuration of the root bridge that can be derived from
the spanning tree frames received by a device.
● Root Port
Shows the port via which the switch communicates with the root bridge.
● Root Cost
The path costs from this device to the root bridge.
● Topology Changes / Last Topology Change
The entry for the device shows the number of reconfiguration actions due to the spanning
tree mechanism since the last startup. For the root bridge, the time since the last
reconfiguration is displayed as follows:
– Seconds: Supplement "sec" after the number
– Minutes: Supplement "min" after the number
– Hours: Supplement "hr" after the number
● Bridge Hello Time / Root Hello Time
Each bridge sends configuration frames (BPDUs) regularly. The interval between two
such frames is the Hello time. The default for this parameter is 2 seconds.
● Bridge Forward Delay / Root Forward Delay
New configuration information is not used immediately by a bridge but only after the
forwarding delay specified in the parameter. This ensures that operation is only started
with the new topology after all the bridges have the required information. The default for
this parameter is 15 seconds.
● Bridge Max Age / Root Max Age
When the max age timer elapses the received BPDU is discarded to be accepted as valid
by the switch. The default value is 20s.
● Bridge Max Hop Count
This parameter specifies how many MSTP nodes a BPDU may pass through. If an MSTP
BPDU is received and has a hop count that exceeds the value configured here, it is
discarded. The default for this parameter is 20.
● Root Hop Count
The number of nodes that need to be run through on the way to the root bridge.
Introduction
The page shows the current information about the spanning tree and the settings of the root
bridge.
of the frames. The value for the bridge priority is a whole multiple of 4096 with a range of
values from 0 to 32768.
● Bridge Address / Root Address
The bridge address shows the MAC address of the device and the root address shows
the MAC address of the root switch.
● Root Cost
Shows the path costs from the device to the root bridge.
● Bridge Status
Shows the status of the bridge, e.g. whether or not the device is the root bridge.
The table has the following columns:
● Port
Shows the interfaces via which the device communicates.
● Role
Shows the status of the port. The following values are possible:
– Disabled
The port was removed manually from the spanning tree and will no longer be taken
into account by the spanning tree.
– Designated
The ports leading away from the root bridge.
– Alternate
The port with an alternative route to a network segment
– Backup
If a switch has several ports to the same network segment, the "poorer" Port becomes
the backup port.
– Root
The port that provides the best route to the root bridge.
– Master
This port points to a root bridge located outside the MST region.
● Status
Shows the current status of the interface. The values are only displayed. The parameter
depends on the configured protocol.
– Discarding
The port receives BPDU frames. Other incoming or outgoing frames are discarded.
– Listening
The port receives and sends BPDU frames. The port is involved in the spanning tree
algorithm. Other outgoing and incoming frames are discarded.
– Learning
The port actively learns the topology; in other words, the node addresses. Other
outgoing and incoming frames are discarded.
– Forwarding
Following the reconfiguration time, the port is active in the network. The port receives
and sends data frames.
● Oper. Version
Shows the compatibility mode of Spanning Tree used by the port.
● Priority
If the path calculated by the spanning tree is possible over several ports of a device, the
port with the highest priority (in other words the lowest value for this parameter) is
selected. A value between 0 and 240 can be entered for the priority in steps of 16. If you
enter a value that cannot be divided by 16, the value is automatically adapted. The
default is 128.
● Path Cost
This parameter is used to calculate the path that will be selected. The path with the
lowest value is selected. If several ports of a device have the same value, the port with
the lowest port number is selected.
If the value in the "Cost Calc" field is "0", the automatically calculated value is displayed.
Otherwise, the value of the "Cost Calc" field is displayed.
The calculation of the path costs is largely based on the transmission speed. The higher
the achievable transmission speed is, the lower the value of the path costs.
Typical values for path costs with rapid spanning tree:
– 10,000 Mbps = 2,000
– 1000 Mbps = 20,000
– 100 Mbps = 200,000
– 10 Mbps = 2,000,000
● Edge Type
Shows the type of the connection. The following values are possible:
– Edge Port
There is an end device at this port.
– No Edge Port
There is a spanning tree or rapid spanning tree device at this port.
● P.t.P. Type
Shows the type of point-to-point link. The following values are possible:
– P.t.P.
With half duplex, a point-to-point link is assumed.
–
Shared Media
With a full duplex connection, a point-to-point link is not assumed.
Introduction
This page shows the statistics of the VRRPv3 protocol and all configured virtual routers.
Description
The following fields are displayed:
● VRID Errors
Shows how many VRRPv3 packets containing an unsupported VRID were received.
● Version Errors
Shows how many VRRPv3 packets containing an invalid version number were received.
● Checksum Errors
Shows how many VRRPv3 packets containing an invalid checksum were received.
The table has the following columns:
● Interfaces
Interface to which the settings relate.
● VRID
Shows the ID of the virtual router. Valid values are 1 ... 255.
● Address Type
Shows the version of the IP protocol.
● Become Master
Shows how often this virtual router changed to the "Master" status.
● Advertisements Received
Shows how many VRRPv3 packets were received.
● IP TTL Errors
Shows how many bad VRRPv3 packets were received whose TTL (Time to live) value in
the IP header is incorrect.
● Prio 0 received
Shows how many VRRPv3 packets with priority 0 were received. VRRPv3 packets with
priority 0 are sent when a master router is shut down. These packets allow a fast
handover to the relevant backup router.
● Prio 0 sent
Shows how many VRRPv3 packets with priority 0 were sent. Packets with priority 0 are
sent when a master router is shut down. These packets allow a fast handover to the
relevant backup router.
● Invalid Type
Shows how many bad VRRPv3 packets were received whose value in the "Type" field of
the IP header is invalid.
● Address List Errors
Shows how many bad VRRPv3 packets were received whose address list does not
match the locally configured list.
● Packet Length Errors
Shows how many bad VRRPv3 packets were received whose length is not correct.
4.4.16 Security
4.4.16.1 Overview
Note
The values displayed depend on the rights of the logged-in user.
This page shows the security settings and the local and external user accounts.
Description
Services
The "Services" list shows the security settings.
● Telnet Server
You configure the setting in "System > Configuration".
– Enabled: Unencrypted access to the CLI.
– Disabled: No unencrypted access to the CLI.
● SSH Server
You configure the setting in "System > Configuration".
– Enabled: Encrypted access to the CLI.
– Disabled: No encrypted access to the CLI.
● Web Server
You configure the setting in "System > Configuration".
– HTTP/HTTPS: Access to the WBM is possible with HTTP and HTTPS.
– HTTPS: Access to the WBM is now only possible with HTTPS.
● SNMP
You can configure setting in "System > SNMP > General".
– "-" (SNMP disabled)
Access to device parameters via SNMP is not possible.
– SNMPv1/v2c/v3
Access to device parameters is possible with SNMP versions 1, 2c or 3.
– SNMPv3
Access to device parameters is possible only with SNMP version 3.
● Management ACL
You configure the setting in "Security > Management ACL".
– Enabled: Restricted access only: Access is restricted using an Access Control List
(ACL).
– Disabled: No access restriction: Management ACL is not enabled.
– Enabled: No access restriction: Management ACL is enabled, but access is not
restricted using an Access Control List (ACL).
● Login Authentication
You configure the setting in "Security > AAA > General".
– Local
The authentication must be made locally on the device.
– RADIUS
The authentication must be handled via a RADIUS server.
– Local and RADIUS
The authentication is possible both with the users that exist on the device (user name
and password) and via a RADIUS server.
The user is first searched for in the local database. If the user does not exist there, a
RADIUS query is sent.
Note
The table "External User Accounts" is only evaluated if you have set "SiemensVSA" in the
RADIUS Authorization Mode.
Note
The values displayed depend on the role of the logged-on user.
The page shows the function rights available locally on the device.
4.4.16.3 Roles
Note
The values displayed depend on the role of the logged-on user.
Description
The table contains the following columns:
● Role
Shows the name of the role.
● Function Right
Shows the function right of the role:
– 1
Users with this role can read device parameters but cannot change them.
– 15
Users with this role can both read and change device parameters.
– 0
This is a role that the device assigns internally when a user could not be
authenticated. The user is denied access to the device.
● Description
Shows a description of the role.
4.4.16.4 Groups
Note
The values displayed depend on the role of the logged-on user.
This page shows which group is linked to which role. The group is defined on a RADIUS
server. The roll is defined locally on the device.
4.5.1 Configuration
System configuration
The WBM page contains the configuration overview of the access options of the device.
Specify the services that access the device. With some services, there are further
configuration pages on which more detailed settings can be made.
Description
The page contains the following boxes:
● Telnet Server
Enable or disable the Telnet server service for unencrypted access to the CLI.
● SSH Server
Enable or disable the SSH server service for encrypted access to the CLI.
● HTTP Services
Specify how the WBM is accessed:
– HTTPS
Access to the WBM is only possible with HTTPS.
– HTTP/HTTPS
Access to the WBM is only possible with HTTP and HTTPS.
– Redirect HTTP to HTTPS
Access via HTTP is automatically diverted to HTTPS.
● Default Login Page
Specify the login page with which the WBM starts by default.
– Firewall
Logging into the WBM page for user-specific firewall.
– Configuration
Logging into the WBM.
● SMTP Client
Enable or disable the SMTP client. You can configure other settings in "System > SMTP
Client".
● Syslog Client
Enable or disable the Syslog client. You can configure other settings in "System > Syslog
Client".
● DCP Server
Specify whether or not the device can be accessed with DCP (Discovery and
Configuration Protocol):
– "-" (disabled)
DCP is disabled. Device parameters can neither be read nor modified.
– Read/Write
With DCP, device parameters can be both read and modified.
– Read Only
With DCP, device parameters can be read but cannot be modified.
● Time
Select the setting from the drop-down list. The following settings are possible:
– Manual
The system time is set manually. You can configure other settings in "System >
System Time > Manual Setting".
– SIMATIC Time
The system time is set using a SIMATIC time transmitter. You can configure other
settings in "System > System Time > SIMATIC Time Client".
– SNTP Client
The system time is set via an SNTP server. You can configure other settings in
"System > System Time > SNTP Client".
– NTP Client
The system time is set via an NTP server. You can configure other settings in "System
> System Time > NTP Client".
● SNMP
Select the protocol from the drop-down list. The following settings are possible:
– "-" (SNMP disabled)
Access to device parameters via SNMP is not possible.
– SNMPv1/v2c/v3
Access to device parameters is possible with SNMP versions 1, 2c or 3. You can
configure other settings in "System > SNMP > General".
– SNMPv3
Access to device parameters is possible only with SNMP version 3. You can configure
other settings in "System > SNMP > General".
● SNMPv1/v2 Read Only
Enable or disable write access to SNMP variables with SNMPv1/v2c.
● SNMPv1 Traps
Enable or disable the sending of SNMPv1 traps (alarm frames). You can configure other
settings in "System > SNMP > Traps".
● SINEMA Configuration Interface
If the SINEMA configuration interface is enabled, you can download configurations to the
device using STEP 7 Basic / Professional.
● DHCP Client
Enable or disable the DHCP client. You can configure other settings in "System > DHCP".
● DUID Type
Specify which DUID type is used. The DUID types are defined in RFC 3315.
– DUID-LLT
DUID is based on the link layer address of the interface and a time stamp
– DUID-EN
DUID is assigned by the vendor (EN = enterprise number)
– DUID-LL
DUID is based on the link layer address of the interface
Note
Interrupting the save
Saving starts only after the timer in the message has elapsed. How long saving takes
depends on the device.
During the save, the message "Saving configuration data in progress. Please do not
switch off the device" is displayed.
• Do not switch off the device immediately after the timer has elapsed.
– Trial
Trial mode. In Trial mode, although changes are adopted, they are not saved in the
configuration file (startup configuration).
To save changes in the configuration file, use the "Write startup config" button. The
display area also shows the message "Trial Mode Active – Press the "Write Startup
Config" button to make your settings persistent" as soon as there are unsaved
modifications. This message can be seen on every WBM page until the changes
made have either been saved or the device has been restarted.
Procedure
1. To use the required function, select the corresponding check box.
2. Select the options you require from the drop-down lists.
3. Click the "Set Values" button.
4.5.2 General
4.5.2.1 Device
This WBM page contains the general device information.
Description
The WBM page contains the following boxes:
● Current System Time
Shows the current system time. The system time is either set by the user or by a time-of-
day frame: either SINEC H1 time-of-day frame, NTP or SNTP.
● System Up Time
Shows the operating time of the device since the last restart.
● Device Type
Shows the type designation of the device.
● System Name
You can enter the name of the device. The entered name is displayed in the selection
area. A maximum of 255 characters are possible.
The system name is also displayed in the CLI input prompt. The number of characters in
the CLI input prompt is limited. The system name is truncated after 16 characters.
● System Contact
You can enter the name of a contact person responsible for managing the device. A
maximum of 255 characters are possible.
● System Location
You can enter the location where the device is installed. The entered installation location
is displayed in the selection area. A maximum of 255 characters are possible.
Note
Permitted characters
The following printable ASCII characters (0x20 to 0x7e) are permitted in the input fields
"System Name", "System Contact" and "Device Location":
• 0123456789
• A...Z a...z
• !"#$%&'()*+,-./:;<=>?@ [\]_{|}~^`
Procedure
1. Enter the contact person responsible for the device in the "System Contact" input box.
2. Enter the identifier for the location at which the device is installed in the "System
Location" input box.
3. Enter the name of the device in the "System Name" input box.
4. Click the "Set Values" button.
Note: Steps 1 to 3 can also be performed with the SNMP Management Tool.
4.5.2.2 Coordinates
Description
The page contains the following input boxes with a maximum length of 32 characters.
● "Latitude" input box
Geographical latitude: Here, enter the value for the northerly or southerly latitude of the
location of the device.
For example, the value +49° 1´31.67" means that the device is located at 49 degrees, 1
arc minute and 31.67 arc seconds northerly latitude.
A southerly latitude is shown by a preceding minus character.
You can also append the letters N (northerly latitude) or S (southerly latitude) to the
numeric information (49° 1´31.67" N).
● "Longitude" input box
Geographic longitude: Here, you enter the value of the eastern or western longitude of
the location of the device.
The value +8° 20´58.73" means that the device is located at 8 degrees, 20 minutes and
58.73 seconds east.
A western longitude is indicated by a preceding minus sign.
You can also add the letter E (easterly longitude) or W (westerly longitude) to the numeric
information (8° 20´58.73" E).
Procedure
1. Enter the calculated latitude in the "Latitude" input box.
2. Enter the calculated longitude in the "Longitude" input box.
3. Enter the height above sea level in the "Height" input box.
4. Click the "Set Values" button.
4.5.3 Restart
Note
Note the following points about restarting a device:
• You can only restart the device with administrator privileges.
• A device should only be restarted with the buttons of this menu and not by a power cycle
on the device.
• Any modifications you have made only become active on the device after clicking the "Set
Values" button on the relevant WBM page. If the device is in "Trial Mode", configuration
modifications must be saved manually before a restart. In "Autosave mode", the last
changes are saved automatically before a restart.
Description
To restart the device, the buttons on this page provide you with the following options:
● Restart
Click this button to restart the system. You must confirm the restart in a dialog box.
During a restart, the device is reinitialized, the internal firmware is reloaded, and the
device runs a self-test. The settings of the start configuration are retained, e.g. the IP
address of the device. The learned entries in the address table are deleted. You can
leave the browser window open while the device restarts. After the restart you will need to
log in again.
Note
By resetting to the factory configuration settings, the device is reachable again with the IP
address 192.168.1.1 set in the factory, see the section "Requirements for operation".
4.5.4 Load&Save
4.5.4.2 HTTP
Note
Configuration files and Trial mode/Automatic Save
In "Automatic Save" mode, the data is saved automatically before the configuration files
(ConfigPack and Config) are transferred.
In "Trial" mode, although the changes are adopted, they are not saved in the configuration
files (ConfigPack and Config). Use the "Write Startup Config" button on the "System >
Configuration" WBM page to save changes in the configuration files.
Note
The downloadable CLI script is not intended to be uploaded again unchanged.
CLI commands for saving and loading files cannot be executed with the CLI script file
(Script).
Description
The table has the following columns:
● Type
Shows the file type.
● Description
Shows the short description of the file type.
● Load
With this button, you can upload files to the device. The button can be enabled, if this
function is supported by the file type.
● Save
With this button, you can download files from the device. The button can only be enabled
if this function is supported by the file type and the file exists on the device.
● Delete
With this button, you can delete files from the device. The button can only be enabled if
this function is supported by the file type and the file exists on the device.
Note
Following a firmware update, delete the cache of your Internet browser.
Procedure
Uploading data using HTTP
1. Start the upload function by clicking one of the "Load" buttons.
Note
Files whose access is password protected
To be able to load these files on the device successfully, you need to enter the password
specified for the file in "System" > "Load&Save" > "Passwords".
Note
Cell firmware update M87x
After a cell firmware update, the device automatically restarts
Note
Configuration data has a checksum. If you edit the files, you can no longer upload them to
the IE switch.
4.5.4.3 TFTP
Note
Configuration files and Trial mode/Automatic Save
In "Automatic Save" mode, the data is saved automatically before the configuration files
(ConfigPack and Config) are transferred.
In "Trial" mode, although the changes are adopted, they are not saved in the configuration
files (ConfigPack and Config). Use the "Write Startup Config" button on the "System >
Configuration" WBM page to save changes in the configuration files.
Note
The downloadable CLI script is not intended to be uploaded again unchanged.
CLI commands for saving and loading files cannot be executed with the CLI script file
(Script).
Description
The page contains the following boxes:
● TFTP Server Address
Enter the IP address or the FQDN (Fully Qualified Domain Name) of the TFTP server with
which you exchange data.
● TFTP Server Port
Enter the port of the TFTP server via which data exchange will be handled. If necessary,
you can change the default value 69 to your own requirements.
The table has the following columns:
● Type
Shows the file type.
● Description
Shows the short description of the file type.
● Filename
A file name is preset here for every file type.
Note
Changing the file name
You can change the file name preset in this column. After loading on the device, the
changed file name can also be used with the Command Line Interface.
● Actions
Select the action from the drop-down list. The selection depends on the selected file type,
for example, the log file can only be saved.
The following actions are possible:
– Save file
With this selection, you save a file on the TFTP server.
– Load file
With this selection, you load a file from the TFTP server.
Procedure
Loading or saving data using TFTP
1. Enter the address of the TFTP server in "TFTP server address".
2. Enter the port of the TFTP server to be used in "TFTP Server Port".
3. If applicable, enter the name of a file in which you want to save the data or take the data
from in "Filename".
Note
Files whose access is password protected
To be able to load these files on the device successfully, you need to enter the password
specified for the file in "System" > "Load&Save" > "Passwords".
4. Select the action you want to execute from the "Actions" drop-down list.
5. Click "Set Values" to start the selected action.
6. If a restart is necessary, a message to this effect will be output. Click the "OK" button to
run the restart. If you click the "Abort" button, there is no device restart. The changes only
take effect after a restart.
Note
Cell firmware update M87x
After a cell firmware update, the device automatically restarts
Note
Configuration data has a checksum. If you change the data, you can no longer upload it to
the device.
4.5.4.4 SFTP
Note
Configuration files and Trial mode/Automatic Save
In "Automatic Save" mode, the data is saved automatically before the configuration files
(ConfigPack and Config) are transferred.
In "Trial" mode, although the changes are adopted, they are not saved in the configuration
files (ConfigPack and Config). Use the "Write Startup Config" button on the "System >
Configuration" WBM page to save changes in the configuration files.
Note
The downloadable CLI script is not intended to be uploaded again unchanged.
CLI commands for saving and loading files cannot be executed with the CLI script file
(Script).
Description
The page contains the following boxes:
● SFTP Server Address
Enter the IP address or the FQDN of the SFTP server with which you exchange data.
● SFTP Server Port
Enter the port of the SFTP server via which data exchange will be handled. If necessary,
you can change the default value 22 to your own requirements.
● SFTP User
Enter the user for access to the SFTP server. This assumes that a user with the
corresponding rights has been created on the SFTP server.
● SFTP Password
Enter the password for the user
● SFTP Password Confirmation
Confirm the password.
The table has the following columns:
● Type
Shows the file type.
● Description
Shows the short description of the file type.
● Filename
A file name is preset here for every file type.
Note
Changing the file name
You can change the file name preset in this column. After loading on the device, the
changed file name can also be used with the Command Line Interface.
● Actions
Select the action from the drop-down list. The selection depends on the selected file type,
for example you can only save the log file.
The following actions are possible:
– Save file
With this selection, you save a file on the SFTP server.
– Load file
With this selection, you load a file from the SFTP server.
Procedure
Loading or saving data using SFTP
1. Enter the address of the SFTP server in "SFTP Server Address".
2. Enter the port of the SFTP server to be used in "SFTP Server Port".
3. Enter the user data (user name and password) required for access to the SFTP server.
4. If applicable, enter the name of a file in which you want to save the data or take the data
from in "Filename".
Note
Files whose access is password protected
To be able to load these files on the device successfully, you need to enter the password
specified for the file in "System" > "Load&Save" > "Passwords".
5. Select the action you want to execute from the "Actions" drop-down list.
6. Click "Set Values" to start the selected action.
7. If a restart is necessary, a message to this effect will be output. Click the "OK" button to
run the restart. If you click the "Abort" button, there is no device restart. The changes only
take effect after a restart.
Note
Cell firmware update M87x
After a cell firmware update, the device automatically restarts
Note
Configuration data has a checksum. If you change the data, you can no longer upload it to
the IE switch.
4.5.4.5 Passwords
There are files to which access is password protected. To successfully load the file into the
device, enter the password specified for the file on the WBM page.
Description
The table has the following columns:
● Type
Shows the file type.
● Description
Shows the short description of the file type.
● Setting
When selected, the password is used. Can only be enabled if the password is configured.
● Password
Enter the password for the file.
● Password Confirmation
Confirm the new password.
● Status
Shows whether the current settings for the file match the device.
– Valid
The settings are valid.
– Invalid
the settings are invalid.
– '-'
Status cannot be evaluated.
Procedure
1. Enter the password in "Password".
2. To confirm the password, enter the password again in "Password Confirmation".
3. Select the "Enabled" option.
4. Click the "Set Values" button.
4.5.5 Events
4.5.5.1 Configuration
Description
With Table 1, you can enable or disable all check boxes of a column of Table 2 at once.
Table 1 has the following columns:
● All Events
Shows that the settings are valid for all events of table 2.
● E-mail / Trap / Log Table / Syslog / Fault / Digital Out / VPN Tunnel
Enable or disable the required type of notification for all events. If "No Change" is
selected, the entries of the corresponding column in table 2 remain unchanged.
● Copy To Table
If you click the button, the setting is adopted for all events of table 2.
Table 2 has the following columns:
● Event
The "Event" column contains the following:
– Cold/Warm Start
The device was turned on or restarted by the user. In the error memory of the device a
new entry is generated with the type of restart performed.
– Link Change
This event occurs only when the port status is monitored and has changed, see
"System > Fault Monitoring > Link Change".
– Authentication Failure
This event occurs when access is attempted with an incorrect password.
– Fault State Change
The fault status has changed. The fault state can relate to the activated port
monitoring, the response of the signaling contact or the power supply monitoring.
– Security Logs
An entry is made in the security log if the IPsec method was used for VPN.
– Firewall Logs
Each time individual firewall rules are applied, this is recorded in the firewall log. To do
this, the LOG function must be enabled for the various firewall functions.
– DDNS Client Logs
The event occurs when the DDNS client synchronizes the assigned IP address with
the hostname registered at the DDNS provider.
– System Connection Status
The connection status has changed.
Procedure
Establishing/terminating a VPN tunnel via the digital input
1. For the "Digital In" event, activate the "VPN Tunnel" entry.
2. Configure the VPN connection
– IPsec:
In "Operation" set "wait on DI" or "start on DI". You will find more information on this in
"IPsec > Connections" and in "VPN connection establishment".
– OpenVPN:
In "Operation" set "start on DI". You will find more information on this in "OpenVPN >
Connections" and in "VPN connection establishment".
– SINEMA RC:
In "Type of connection" set "Auto" or "Digital Input". With "Type of connection" "Auto",
on the SINEMA RC Server you need to set the type of connection "Digital Input" under
"Remote connections > Devices". You will find further information on this topic in the
operating instructions "SINEMA RC Server".
3. Click on "Set Values".
Description
The table has the following columns:
● Client Type
Select the client type for which you want to make settings:
– E-mail
Sending system event messages by e-mail.
– Log Table
Entry of system events in the log table.
– Syslog
Entry of system events in the Syslog file.
● Severity
Select the required severity. The following settings are possible:
– Info
The messages of all severities are sent or logged.
– Warning
The messages of this severity and the "critical" severity are sent or logged.
– Critical
Only the messages of this severity are sent or logged.
4.5.6.1 General
Description
The page contains the following boxes:
● SMTP Client
Enable or disable the SMTP client.
● SMTP Server Address
Enter the IP address or the FQDN (Fully Qualified Domain Name) of the SMTP server.
Note
2-factor authentication (2FA)
2-factor authentication is not supported.
– SSL/TLS
– StartTLS
– None: The e-mail is transferred unencrypted.
● Test
Sends a test e-mail to the configured recipients.
● Test Result
Shows whether the e-mail was sent successfully or not. If sending was not successful,
the message contains possible causes.
Procedure
Configuring the SMTP server
1. Enable the "SMTP Client" function.
2. Enter the IP address or the FQDN of the SMTP server for "SMTP Server Address".
3. Click the "Create" button. A new entry is generated in the table.
4. Enter the name of the sender that will be included in the e-mail for "Sender Email
Address".
5. Enter the user name and password if the SMTP server prompts you to log in.
6. Under "Security", specify whether transfer to the SMTP server is encrypted.
7. Enable the SMTP server entry.
8. Click the "Set Values" button.
Note
Depending on the properties and configuration of the SMTP server, it may be necessary
to adapt the "Sender E-Mail Address" input for the e-mails. Check with the administrator
of the SMTP server.
4.5.6.2 Recipient
On this page, you specify who receives an e-mail when an event occurs.
Description
The page contains the following boxes:
● SMTP Server
Specify the SMTP server via which the e-mail is sent.
● Email address of the SMTP recipient
Enter the e-mail address to which the device sends an e-mail.
The table contains the following columns:
● Select
Select the check box in a row to be deleted.
● SMTP Server
Shows the IP address or the FQDN (Fully Qualified Domain Name) of the SMTP server to
which the entry relates.
● Send
When enabled, the device sends an e-mail to this recipient.
● Email address of the SMTP recipient
Shows the e-mail address to which the device sends an e-mail if a fault occurs.
Procedure
Configuring an SMTP recipient
1. Select the required "SMTP Server".
2. Enter the e-mail address of the SMTP recipient.
3. Click the "Create" button. A new entry is generated in the table.
4. Activate the "Send" option for the entry.
5. Click the "Set Values" button.
4.5.7 SNMP
4.5.7.1 General
Configuration of SNMP
On this page, you make the basic settings for SNMP. Enable the check boxes according to
the function you want to use. Note the information in the section "Technical basics".
Description
The page contains the following boxes:
● SNMP
Select the SNMP protocol from the drop-down list. The following settings are possible:
– "-" (disabled)
SNMP is disabled.
– SNMPv1/v2c/v3
SNMPv1/v2c/v3 is supported.
Note
Note that SNMP in versions 1 and 2c does not have any security mechanisms.
– SNMPv3
Only SNMPv3 is supported.
● SNMPv1/v2c Read Only
If you enable this option, SNMPv1/v2c can only read the SNMP variables.
Note
Community String
For security reasons, do not use the standard values "public" or "private". Change the
community strings following the initial installation.
The recommended minimum length for community strings is 6 characters.
Procedure
1. Select the required option from the "SNMP" drop-down list:
– "-" (disabled)
– SNMPv1/v2c/v3
– SNMPv3
2. Enable the "SNMPv1/v2c Read Only" check box if you only want read access to SNMP
variables with SNMPv1/v2c.
3. Enter the required character string in the "SNMPv1/v2c Read Community String" input
box.
4. Enter the required character string in the "SNMPv1/v2c Read/Write Community String"
input box.
5. If necessary, enable the SNMPv3 User Migration.
6. Click the "Set Values" button.
4.5.7.2 Traps
Note
Traps are only sent if you have enabled the option "SNMPv1 Traps" in the "General" tab or
in "System > Configuration".
Description
The page contains the following boxes:
● Trap Receiver Address
Enter the IP address, the FQDN (Fully Qualified Domain Name) or the host name of the
station to which the device sends SNMP traps. You can specify up to ten different
recipients servers.
The table has the following columns:
● Select
Select the row you want to delete.
● Trap Receiver Address
If necessary, change the IP address, the FQDN (Fully Qualified Domain Name) or the
host name of the stations.
● Trap
Enable or disable the sending of traps. Stations that are entered but not selected do not
receive SNMP traps.
Procedure
Creating a trap entry
1. In "Trap Receiver Address", enter the IP address, the FQDN or the host name of the
station to which the device will send traps.
2. Click the "Create" button to create a new trap entry.
3. Select the check box in the required row "Trap".
4. Click the "Set Values" button.
Deleting a trap entry
1. Enable "Select" in the row to be deleted.
2. Click the "Delete" button. The entry is deleted.
4.5.7.3 v3 Groups
Description
The page contains the following boxes:
● Group Name
Enter the name of the group. The maximum length is 32 characters.
● Security Level
Select the security level (authentication, encryption) valid for the selected group. The
available options are as follows:
– No Auth/no Priv
No authentication enabled/no encryption enabled.
– Auth/no Priv
Authentication enabled/no encryption enabled.
– Auth/Priv
Authentication enabled/encryption enabled.
The table has the following columns:
● Select
Select the row you want to delete.
● Group Name
Shows the defined group names.
● Security Level
Shows the configured security level.
● Read
Enable or disable read access for the required group.
● Write
Enable or disable write access for the required group.
Note
For write access to work, you also need to enable read access.
● Persistence
Shows whether or not the group is assigned to an SNMPv3 user. If the group is not
assigned to an SNMPv3 user, no automatic saving is triggered and the configured group
is deleted after restarting the device.
– Yes
The group is assigned to an SNMPv3 user.
– No
The group is not assigned to an SNMPv3 user.
Procedure
Creating a new group
1. Enter the required group name in "Group Name".
2. Select the required security level from the "Security Level" drop-down list.
3. Click the "Create" button to create a new entry.
4. Specify the required read rights for the group in "Read".
5. Specify the required write rights for the group in "Write".
6. Click the "Set Values" button.
Modifying a group
1. Specify the required read rights for the group in "Read".
2. Specify the required write rights for the group in "Write".
3. Click the "Set Values" button.
Note
Once a group name and the security level have been specified, they can no longer be
modified after the group is created. If you want to change the group name or the security
level, you will need to delete the group and recreate it and reconfigure it with the new
name.
Deleting a group
1. Enable "Select" in the row to be deleted.
Repeat this for all groups you want to delete.
2. Click the "Delete" button. The entries are deleted.
4.5.7.4 v3 users
Description
The page contains the following boxes:
● User Name
Enter a freely selectable user name. After you have entered the data, you can no longer
modify the name.
The table has the following columns:
● Select
Select the row you want to delete.
● User Name
Shows the created users.
● Group Name
Select the group which will be assigned to the user.
● Authentication Protocol
Specify the authentication protocol for which a password will be stored.
The following settings are available:
– None
– MD5
– SHA
● Encryption Protocol
Specify whether or not a password should be stored for encryption with the DES
algorithm. Can only be enabled when an authentication protocol has been selected.
● Authentication Password
Enter the authentication password in the first input box. This password must have at least
1 character, the maximum length is 32 characters.
Note
Length of the password
As an important measure to maximize security, we recommend that the password has a
minimum length of 6 characters and that it contains special characters,
uppercase/lowercase letters, numbers.
Note
Length of the password
As an important measure to maximize security, we recommend that the password has a
minimum length of 6 characters and that it contains special characters,
uppercase/lowercase letters, numbers.
Procedure
Create a new user
1. Enter the name of the new user in the "User Name" input box.
2. Click the "Create" button. A new entry is generated in the table.
3. In "Group Name", select the group to which the new user will belong.
If the group has not yet been created, change to the "v3 Groups" page and make the
settings for this group.
4. If an authentication is necessary for the selected group, select the authentication
algorithm in "Authentication Protocol".
In the relevant input boxes, enter the authentication password and its confirmation.
5. If encryption was specified for the group, select the algorithm in "Privacy Protocol". In the
relevant input boxes, enter the encryption password and the confirmation.
6. Click the "Set Values" button.
Delete user
1. Enable "Select" in the row to be deleted.
Repeat this for all users you want to delete.
2. Click the "Delete" button. The entry is deleted.
Description
The page contains the following boxes:
● Time Manually
Enable or disable the manual time setting. If you enable the option, the "System Time"
input box can be edited.
● System Time
Enter the date and time in the format "MM/DD/YYYY HH:MM:SS".
After a restart, the time of day begins at 01/01/2000 00:00:00
● Use PC Time
Click the button to use the time setting of the PC.
● Last Synchronization Time
Shows when the last time-of-day synchronization took place. If no time-of-day
synchronization was possible, the box displays "Date/time not set".
Procedure
1. Enable the "Time Manually" option.
2. Click in the "System Time" input box.
3. In the "System Time" input box, enter the date and time in the format "MM/DD/YYYY
HH:MM:SS".
4. Click the "Set Values" button.
The date and time are adopted and "Manual" is entered in "Last Synchronization
Mechanism" box.
Settings
The page contains the following boxes:
● Select
Select the row you want to delete.
● DST No.
Shows the number of the entry.
If you create a new entry, a new line with a unique number is created.
● Name
Shows the name of the entry.
● Year
Shows the year for which the entry was created.
● Start Date
Shows the month, day and time for the start of daylight saving time.
● End Date
Shows the month, day and time for the end of daylight saving time.
● Recurring Date
With an entry of the type "Recurring", the period in which daylight saving time is active is
displayed consisting of week, day, month and time of day.
With an entry of the type "Date" a "-" is displayed.
● Status
Shows the status of the entry:
– Enabled
The entry was created correctly.
– Invalid
The entry was created new and the start and end date are identical.
● Type
Shows how the daylight saving time changeover is made:
– Date
A fixed date is entered for the daylight saving time changeover.
– Recurring
A rule was defined for the daylight saving time changeover.
Procedure
Creating an entry
1. Click the "Create" button.
A new entry is created in the table.
2. Click on the required entry in the "DST No column.
You change to the "DST Configuration" page.
3. Select the required type in the "Type" drop-down list.
Depending on the selected type, various settings are available.
4. Enter a name name in the "Name" box.
5. If you have selected the type "Date", fill in the following boxes.
– Year
– Day (for start and end date)
– Hour (for start and end date)
– Month (for start and end date)
6. If you have selected the type "Recurring", fill in the following boxes.
– Hour (for start and end date)
– Month (for start and end date)
– Week (for start and end date)
– Day (for start and end date)
7. Click the "Set Values" button.
Deleting an entry
1. Enable "Select" in the row to be deleted.
2. Click the "Delete" button. The entry is deleted.
Settings
Note
The content of this page depends on the selection in the "Type" box.
The boxes "DST No.", "Type" and "Name" are always shown.
● DST No.
Select the type of the entry.
● Type
Select how the daylight saving time changeover is made:
– Date
You can enter a fixed date for the daylight saving time changeover.
This setting is suitable for regions in which the daylight saving time changeover is not
governed by rules.
– Recurring
You can define a rule for the daylight saving time changeover.
This setting is suitable for regions in which the daylight saving time always begins or
ends on a certain weekday.
● Name
Enter a name for the entry.
The name can be a maximum of 16 characters long.
Settings with "Date" selected
You can set a fixed date for the start and end of daylight saving time.
● Year
Enter the year for the daylight saving time changeover.
● Start Date
Enter the following values for the start of daylight saving time:
– Day
Enter the day.
– Hour
Enter the hour.
– Month
Enter the month.
● End Date
Enter the following values for the end of daylight saving time:
– Day
Enter the day.
– Hour
Enter the hour.
– Month
Enter the month.
You can create a rule for the daylight saving time changeover.
● Year
Enter the year for the daylight saving time changeover.
● Start Date
Enter the following values for the start of daylight saving time:
– Hour
Enter the hour.
– Month
Enter the month.
– Week
Enter the week.
You can select the first to fourth or the last week of the month.
– Day
Enter the weekday.
● End Date
Enter the following values for the end of daylight saving time:
– Hour
Enter the hour.
– Month
Enter the month.
– Week
Enter the week.
You can select the first to fourth or the last week of the month.
– Day
Enter the weekday.
Requirement
To receive the SNTP frames, enable the entry "System Time" under "Security > Firewall >
Predefined IPv4 rules".
Description
The page contains the following boxes:
● SNTP Client
When enabled, the device receives the system time from an SNTP server.
● Current System Time
Shows the current date and current normal time received by the IE switch. If you specify
a time zone, the time information is adapted accordingly.
● Last Synchronization Time
Shows when the last time-of-day synchronization took place.
● Last Synchronization Mechanism
Shows how the last time synchronization was performed. The following types are
possible:
– Not set
The time was not set.
– Manual
Manual time setting
– SNTP
Automatic time-of-day synchronization with SNTP
– NTP
Automatic time-of-day synchronization with NTP
– SIMATIC
Automatic time-of-day synchronization using the SIMATIC time frame
● Time Zone
In this box, enter the time zone you are using in the format "+/- HH:MM". The time zone
relates to UTC standard world time.
The time in the "Current System Time" box is adapted accordingly.
● Daylight Saving Time
Shows whether the daylight saving time changeover is active.
– active (offset +1 h)
The system time was changed to daylight saving time; in other words, an hour was
added. You can see the current system time at the top right in the selection area of the
WBM.
The set time continues to be displayed in the "System Time" box.
– inactive (offset +0 h)
The current system time is not changed.
● SNTP Mode
Select the synchronization mode from the drop-down list. The following types are
possible:
– Poll
If you select this mode, the input boxes "SNTP Server Address", "SNTP Server Port"
and "Poll Interval[s]" are displayed to allow further configuration. With this type of
synchronization, the device is active and sends a time query to the SNTP server.
In this mode, IPv4 and IPv6 addresses are supported.
– Listen
With this type of synchronization, the device is passive and receives SNTP frames
that deliver the time of day. For this mode, create the following firewall rules from
"VLANx" to "Device" manually. In this mode, only IPv4 addresses are supported.
Note
SNTP Client in Listen mode and NTP Server cannot be enabled at the same time.
● Poll Interval[s]
Enter the interval between two time queries. In this box, you enter the polling interval in
seconds. Possible values are 16 to 16284 seconds.
The table has the following columns:
● Select
Select the row you want to delete.
● SNTP Server Address
Enter the IP address, the FQDN (Fully Qualified Domain Name) or the host name of the
SNTP server.
● SNTP Server Port
Enter the port of the SNTP server.
The following ports are possible:
– 123 (standard port)
– 1025 to 36564
● Poll Interval[s]
Enter the interval between two time queries. In this box, you enter the polling interval in
seconds. Possible values are 16 to 16284 seconds.
Procedure
1. Click the "SNTP Client" check box to enable the automatic time setting.
2. In "Time Zone", enter the local time difference to world time (UTC).
The input format is "+/-HH:MM" because the NTP server always sends UTC time, for
example +02:00 for CEST, the Central European Summer Time. This time is recalculated
and displayed as the local time based on the specified time zone.
3. Select one of the following options from the "SNTP Mode" drop-down list:
– Poll
For this mode, you need to configure the following:
- time zone difference (step 2)
- query interval (step 4)
-time server (step 5)
- Port (step 7)
- complete the configuration with step 8.
– Listen
For this mode, you need to configure the following:
- time difference to the time sent by the server (step 2)
- time server (step 5)
- port (step 7)
- complete the configuration with step 8.
4. In "SNTP Server Address", enter the address of the SNTP server whose frames will be
used to synchronize the time of day.
5. In "SNTP Server Port", enter the port via which the SNTP server is available. The port
can only be modified if the IP address of the SNTP server is entered.
6. In "Poll Interval[s]", enter the time in seconds after which a new time query is sent to the
time server.
7. Click the "Set Values" button.
Requirement
To receive the NTP frames, enable the entry "System Time" under "Security > Firewall >
Predefined IPv4 rules".
Description
The page contains the following boxes:
● NTP client
When enabled, the device receives the system time from an NTP server.
● Secure NTP Client only
When enabled, the device receives the system time from a secure NTP server. The
setting applies to all server entries.
To use the secure NTP client, you configure the parameters for authentication (key ID,
hash algorithm, key).
● Current System Time
Shows the current date and current normal time received by the device. If you specify a
time zone, the time information is adapted accordingly.
● Last Synchronization Time
Shows when the last time-of-day synchronization took place.
● Last Synchronization Mechanism
Shows how the last time synchronization was performed. The following methods are
possible:
– Not set
The time was not set.
– Manual
Manual time setting
– SNTP
Automatic time-of-day synchronization with SNTP
– NTP
Automatic time-of-day synchronization with NTP
– SIMATIC
Automatic time-of-day synchronization using the SIMATIC time frame
– PTP
Automatic time-of-day synchronization with PTP
● Time Zone
Enter the time zone you are using in the format "+/- HH:MM". The time zone relates to
UTC standard world time.
The time in the "Current System Time" box is adapted accordingly.
● Key
Enter the authentication key. The length depends on the hash algorithm.
The following minimum lengths are recommended for the hash algorithm:
– MD5: ASCII 16 characters
– SHA1: ASCII 20 characters
● Key confirmation
Repeat the authentication key.
Procedure
Time-of-day synchronization with NTP server
1. Click in the "NTP Client" check box to enable the automatic time setting using NTP.
2. In "Time Zone", enter the local time difference to world time (UTC).
The input format is "+/-HH:MM" because the NTP server always sends UTC time, for
example +02:00 for CEST, the Central European Summer Time. This time is recalculated
and displayed as the local time based on the specified time zone.
3. Select the "NTP Server Index".
4. Click the "Create" button.
A new row is inserted in the table for the NTP server.
5. In "NTP Server Address", enter the address of the NTP server whose frames are used to
synchronize the time of day.
6. In "NTP Server Port", enter the port via which the NTP server is available. The port can
only be modified if the address of the NTP server is entered.
7. In the "Poll Interval" column, enter the interval in seconds after which a new time-of-day
query is sent to the time server.
8. Click the "Set Values" button.
Time-of-day synchronization via a secure NTP server
To synchronize the time of day via a secure NTP server, the following additional steps are
necessary:
1. Click the "Secure NTP Client only" check box to enable the automatic time setting using
Secure NTP.
2. Configure the authentication.
– In "Key ID" enter the ID of the authentication key.
– In "Hash Algorithm" select the required format.
– In "Key" enter the authentication key.
With these entries, the NTP client authenticates itself with the secure NTP server. These
entries must be present on the secure NTP server.
3. Click the "Set Values" button.
Description
The page contains the following boxes:
● SIMATIC Time Client
Select this check box to enable the device as a SIMATIC time client.
● Current System Time
Shows the current system time.
● Last Synchronization Time
Shows when the last time-of-day synchronization took place.
● Last Synchronization Mechanism
Shows how the last time synchronization was performed. The following methods are
possible:
– Not set
The time was not set.
– Manual
Manual time setting
– SNTP
Automatic time-of-day synchronization with SNTP
– NTP
Automatic time-of-day synchronization with NTP
– SIMATIC
Automatic time-of-day synchronization using the SIMATIC time frame
Procedure
1. Click the "SIMATIC Time Client" check box to enable the SIMATIC Time Client.
2. Click the "Set Values" button.
Note
Time synchronization
Also configure the device as NTP client so that it synchronizes the connected devices to a
correct time. As NTP client, the device gets the precise time from an external time server
and as NTP server distributes it to its NTP clients.
Requirement
● To receive the NTP frames, enable the entry "System Time" under "Security > Firewall >
Predefined IPv4 rules".
Description
The page contains the following boxes:
● NTP Server
Enable or disable the service of the NTP server.
Note
SNTP Client in Listen mode and NTP Server cannot be enabled at the same time.
● Interface
Specify the interface via which the time is transferred using NTP.
The table has the following columns:
● Select
Select the row you want to delete.
● Interface
Via this interface the time is transferred using NTP.
● Listen
When enabled, the other devices can call up the time via this interface.
● Server Port
Enter the port of the NTP server.
The following ports are possible:
– 123 (standard port)
– 1025 to 36564
● Secure
When this is enabled, the NTP server becomes an NTP server of the type "NTP
(secure)".
The following columns are only relevant for "NTP (secure)". Otherwise, these boxes cannot
be edited:
● Key ID
Enter the ID of the authentication key.
● Hash Algorithm
Specify the format for the authentication key.
● Key
Enter the authentication key. The length depends on the hash algorithm.
The following minimum lengths are recommended for the hash algorithm:
– MD5: ASCII 16 characters
– SHA1: ASCII 20 characters
● Key Confirmation
Enter the authentication key for confirmation.
● Status
Shows whether or not the interface is active.
Note
No automatic logout from the CLI
If the connection is not terminated after the set time, check the "Keep alive" setting on the
Telnet client.
If the interval for "Keep alive" is shorter than the configured time, the connection is
maintained although no user data is transferred. You have set, for example, 300 seconds for
the automatic logoff and the "Keep alive" function is set to 120 seconds. In this case, a
packet is sent every 120 seconds that keeps the connection uninterrupted.
• Turn off the "Keep alive" (interval time=0)
or
• Set the interval high enough so that the underlying connection is terminated when there is
inactivity.
Procedure
1. Enter a value of 60-3600 seconds in the "Web Base Management [s]" input box. If you
enter the value 0, the automatic logout is disabled.
2. Enter a value of 60-600 seconds in the "CLI (TELNET, SSH) [s]" input box. If you enter
the value 0, the automatic logout is disabled.
3. Click the "Set Values" button.
4.5.10 Button
Functionality
The SELECT/SET button is used to:
● Restart
● Load new firmware
● Reset to factory settings.
You will find a detailed description of the functions in the operating instructions for the
device.
On this page, the functionality of the button can be restricted.
Description
The following functionality is possible:
● Restart / Restore Factory Defaults
When disabled, the SELECT/SET button cannot be used for a restart or to restore factory
settings.
CAUTION
Button function "Restart / Restore Factory Defaults" active during startup
If you have disabled this function in your configuration, disabling is only valid during
operation. When restarting, for example after power off, the function is active until the
configuration is loaded and the device can therefore inadvertently be reset to the factory
settings. This may cause unwanted disruption in network operation since the device
then needs to be reconfigured. An inserted PLUG is also deleted and returned to the
status as shipped.
You will find more information on how to restore the device to the factory defaults despite
disabled functions in the section "Upkeep and maintenance (Page 317)".
Description
The page contains the following boxes:
● Syslog Client
Enable or disable the Syslog function.
● Syslog Server Address
Enter the IP address of the Syslog server.
This table contains the following columns
● Select
Select the row you want to delete.
● Syslog Server Address
Shows the IP address of the Syslog server.
● Server Port
Enter the port of the Syslog server being used.
Procedure
Enabling function
1. Select the "Syslog Client" check box.
2. Click the "Set Values" button.
Creating a new entry
1. In the "Syslog Server Address" input box, enter the IP address of the Syslog server on
which the log entries will be saved.
2. Click the "Create" button. A new row is inserted in the table.
3. In the "Server Port" input box, enter the number of the UDP port of the server.
4. Click the "Set Values" button.
Note
The default setting of the server port is 514.
Description
Table 1 has the following columns:
● 1st column
Shows that the settings are valid for all ports.
● Setting
Select the setting from the drop-down list. You have the following setting options:
– "-" (disabled)
– Up
– Down
– No Change: The setting in table 2 remains unchanged.
● Copy to Table
If you click the button, the setting is adopted for all ports of table 2.
Table 2 has the following columns:
● Port
Shows the available ports and link aggregations. The port is made up of the module
number and the port number, for example port 0.1 is module 0, port 1.
● Setting
Select the setting from the drop-down list. You have the following options:
– Up
Error handling is triggered when the port changes to the active status.
(From "Link down" to "Link up")
– Down
Error handling is triggered when the port changes to the inactive status.
(From "Link up" to "Link down")
– "-" (disabled)
The error handling is not triggered.
Procedure
Configure error monitoring for a port
1. From the relevant drop-down list, select the options of the slots / ports whose connection
status you want to monitor.
2. Click the "Set Values" button.
Configure error monitoring for all ports
1. Select the required setting from the drop-down list of the "Setting"column.
2. Click the "Copy to table" button. The setting is adopted for all ports of table 2.
3. Click the "Set Values" button.
4.5.13 PLUG
4.5.13.1 Configuration
NOTICE
Do not remove or insert a C-PLUG / KEY-PLUG during operation!
A PLUG may only be removed or inserted when the device is turned off.
The device checks whether or not a PLUG is present at one second intervals. If it is
detected that the PLUG was removed, there is a restart. If a valid KEY-PLUG was inserted
in the device, the device changes to a defined error state following the restart. With
SCALANCE M, the available wireless interfaces are deactivated in this case.
If the device was configured at some time with a PLUG, the device can no longer be used
without this PLUG. To be able to use the device again, reset the device to the factory
settings.
Note
Incompatibility with previous versions with PLUG inserted
During the installation of a previous version, the configuration data can be lost. In this case,
the device starts up with the factory settings after the firmware has been installed. In this
situation, if a PLUG is inserted in the device, following the restart, this has the status "Not
Accepted" since the PLUG still has the configuration data of the previous more up-to-date
firmware. This allows you to return to the previous, more up-to-date firmware without any
loss of configuration data.
If the original configuration on the PLUG is no longer required, the PLUG can be deleted or
rewritten manually using "System > PLUG".
Note
The action is only executed after you click the "Set Values" button.
The action cannot be undone.
If you decide against executing the function after making your selection, click the "Refresh"
button. As a result the data of this page is read from the device again and the selection is
canceled.
Description
The table has the following rows:
● Status
Shows the status of the PLUG. The following are possible:
– ACCEPTED
There is a PLUG with a valid and suitable configuration in the device.
– NOT ACCEPTED
Invalid or incompatible configuration on the inserted PLUG.
– NOT PRESENT
There is no C-PLUG or KEY-PLUG inserted in the device.
– FACTORY
PLUG is inserted and does not contain a configuration. This status is also displayed
when the PLUG was formatted during operation.
– MISSING
There is no PLUG inserted. Functions are configured on the device for which a license
is required.
● Device Group
Shows the SIMATIC NET product line that used the C-PLUG or KEY-PLUG previously.
● Device Type
Shows the device type within the product line that used the C-PLUG or KEY-PLUG
previously.
● Configuration Revision
The version of the configuration structure. This information relates to the configuration
options supported by the device and has nothing to do with the concrete hardware
configuration. This revision information does not therefore change if you add or remove
additional components (modules or extenders), it can, however, change if you update the
firmware.
● File System
Displays the type of file system on the PLUG.
● File System Size
Displays the maximum storage capacity of the file system on the PLUG.
● File System Usage
Displays the memory utilization of the file system of the PLUG.
● Firmware on PLUG (as of firmware version 4.3)
When enabled, the firmware will be stored on the PLUG. This means that automatic
firmware updates/downgrades can be made with the PLUG.
● Info String
Shows additional information about the device that used the PLUG previously, for
example, article number, type designation, and the versions of the hardware and
software. The displayed software version corresponds to the version in which the
configuration was last changed. With the "NOT ACCEPTED" status, further information
on the cause of the problem is displayed.
If a PLUG was configured as a PRESET PLUG this is shown here as additional
information in the first row. For more detailed information on creating and using a
PRESET PLUG refer to the section "Maintenance".
● Modify PLUG
Select the setting from the drop-down list. You have the following options for changing
the configuration on the C-PLUG or KEY-PLUG:
– Write Current Configuration to the PLUG
This option is available only if the status of the PLUG is "NOT ACCEPTED" or
"FACTORY".
The configuration in the internal flash memory of the device is copied to the PLUG.
– Erase PLUG to factory default
Deletes all data from the PLUG and triggers low-level formatting.
Procedure
1. You can only make settings in this box if you are logged on as "Administrator". Here, you
decide how you want to change the content of the PLUG.
2. Select the required option from the "Modify PLUG" drop-down list.
3. Click the "Set Values" button.
4.5.13.2 License
NOTICE
Do not remove or insert a C-PLUG / KEY-PLUG during operation!
A PLUG may only be removed or inserted when the device is turned off.
The device checks whether or not a PLUG is present at one second intervals. If it is
detected that the PLUG was removed, there is a restart. If a valid KEY-PLUG was inserted
in the device, the device changes to a defined error state following the restart. With
SCALANCE M, the available wireless interfaces are deactivated in this case.
If the device was configured at some time with a PLUG, the device can no longer be used
without this PLUG. To be able to use the device again, reset the device to the factory
settings.
Note
Incompatibility with previous versions with PLUG inserted
During the installation of a previous version, the configuration data can be lost. In this case,
the device starts up with the factory settings after the firmware has been installed. In this
situation, if a PLUG is inserted in the device, following the restart, this has the status "NOT
ACCEPTED" since the PLUG still has the configuration data of the previous more up-to-date
firmware. This allows you to return to the previous, more up-to-date firmware without any
loss of configuration data.
If the original configuration on the PLUG is no longer required, the PLUG can be deleted or
rewritten manually using "System > PLUG".
Description
● Status
Shows the status of the KEY-PLUG. The following are possible:
– ACCEPTED
There is a KEY-PLUG with a valid and matching license in the device.
– NOT ACCEPTED
The license of the inserted KEY-PLUG is not valid.
– NOT PRESENT
No KEY-PLUG is inserted in the device.
– MISSING
There is no KEY-PLUG inserted with the "FACTORY" status. Functions are configured
on the device for which a license is required.
– WRONG
The inserted KEY-PLUG is not suitable for the device.
– UNKNOWN
Unknown content of the KEY-PLUG.
– DEFECTIVE
The content of the KEY-PLUG contains errors.
● Order ID
Shows the order ID of the KEY-PLUG. The KEY-PLUG is available for various functional
enhancements and for various target systems.
● Serial Number
Shows the serial number of the KEY-PLUG.
● Info String
Shows additional information about the device that used the KEY-PLUG previously, for
example, article number, type designation, and the versions of the hardware and
software. The displayed software version corresponds to the version in which the
configuration was last changed. With the "NOT ACCEPTED" status, further information
on the cause of the problem is displayed.
Note
When you save the configuration, the information about whether or not a KEY-PLUG was
inserted in the device at the time is also saved. This configuration can then only work if a
KEY-PLUG with the same order number / license is inserted.
4.5.14 Ping
Description
The table has the following columns:
● Destination Address
Enter the IPv4 address or the FQDN of the device.
● Repeat
Enter the number of ping requests.
● Ping
Click this button to start the ping function.
● Ping Output
This box shows the output of the ping function.
● Clear
Click this button to empty the "Ping Output" box.
Note
DCP Discovery
The function is only available with the VLAN associated with the TIA interface. You can
configure the TIA interface with "Layer 3 > Subnets > Configuration".
Requirement:
To adapt network parameters, DCP requires write access to the device. If access is write-
protected, the network parameters cannot be configured.
On the SCALANCE devices you configure the access in "System > Configuration".
Description
The page contains the following boxes:
● Interface
Select the required interface.
● Discover
Starts the search for devices reachable via the selected interface.
On completion of the search the reachable devices are listed in the table. The table is
limited to 100 entries.
Procedure
1. Select the TIA interface.
2. To show all devices that can be reached via the TIA interface, click the "Browse" button.
3. Adapt the desired properties.
4. Click the "Set Values" button.
The status of the modified properties changes to "Configured".
5. To ensure that the properties were applied correctly, click the "Browse" button again.
The status of the modified properties changes to "Discovered".
4.5.16 DNS
Description
The page contains the following boxes:
● DNS client
Enable or disable depending on whether the device should operate as a DNS client.
● Used DNS Servers
Specify which DNS server the device uses:
– learned only
The device uses only the DNS servers assigned by DHCP.
– manual only
The device uses only the manually configured DNS servers. The DNS servers must
be connected to the Internet. A maximum of two DNS servers can be configured.
– all
The device uses all available DNS servers.
Description
The page contains the following boxes:
● Enable DNS Proxy
Enable or disable the proxy of the DNS server.
● Cache Name Errors (NXDOMAIN)
Enable or disable the caching of NXDOMAIN replies. If you enable the option, the domain
names that were unknown to the DNS server remain in the cache.
Description
The table has the following columns:
● Service
Shows which providers are supported.
● Enabled
When enabled, the device logs on to the DDNS server.
● Host
Enter the host name that you have agreed with your DDNS provider for the device, e.g.
example.no-ip-com.
● User Name
Enter the user name with which the device logs on to the DDNS server.
● Password
Enter the password assigned to the user.
● Password Confirmation
Confirm the password.
Procedure
Requirement:
● User name and password that gives you the right to use the DDNS service.
● Registered hostname, e.g. example.no-ip.com
● UDP port 53 for DNS is enabled and is not used for NAT.
1. In "Host", enter the hostname that you have agreed with your DDNS provider for the
device, e.g. example.no-ip-com.
2. Enter the login data (user name, password) for the DDNS server.
3. Select "Enabled". This hostname is used for the device.
4. Click on "Set Values".
4.5.17 DHCP
Description
The page contains the following boxes:
● Keep Alive
When this is enabled, the IP address is retained in the event of a connection breakdown
and is not reset to 0.0.0.0. Keep Alive is enabled by default. When Keep Alive is disabled,
the IP address is reset to 0.0.0.0 in the event of a communication breakdown.
● DHCP Client Configuration Request (Opt. 66, 67)
When enabled, the DHCP client uses the options to download the configuration file
(option 67) from the TFTP server (option 66). After the restart, the device uses the data
from the configuration file.
Note
Configuration file and firmware version
The configuration file is used to store and read in configuration data within a firmware
version, e.g. 4.3. Configuration files created with a firmware version <4.2 cannot be read
in to a device with a firmware version 4.3.
● DHCP Mode
Specify the type of identifier with which the DHCP client logs on with its DHCP server.
– via MAC Address
Identification is based on the MAC address.
– via DHCP Client ID
Identification is based on a freely defined DHCP client ID.
– via System Name
Identification is based on the system name. If the system name is 255 characters long,
the last character is not used for identification.
– via Iaid and Duid
With this the DHCP client can log on with DHCP servers that support parallel
operation of IPv4 and IPv6.
The identification is via the IAID and the DUID and identifies precisely one IP interface
of the device.
IAID (Interface Association Identifier): At least one IAID is generated for each IP
interface The IAID remains unchanged when the DHCP client restarts
DUID (DHCP Unique Identifier): Uniquely identifies server and clients and applies to
all IP interfaces of the device. The DUID remains unchanged when there is a restart.
Note
DHCP mode "via PROFINET device name"
With firmware version 5.0, the setting "via PROFINET device name" was removed.
Procedure
Follow the steps below to configure the IP address using the DHCP client ID:
1. Select the identification method in the "DHCP Mode" drop-down list.
If you select the DHCP mode "via DHCP Client ID" an input box appears.
In the enabled input box "DHCP client ID" enter a string to identify the device. This is then
evaluated by the DHCP server.
2. Select the "DHCP Client Configuration Request (Opt. 66, 67)", if you want the DHCP
client to use options 66 and 67 to download and then enable a configuration file.
3. Enable the "DHCP" option in the table.
4. Click the "Set Values" button.
Note
If a configuration file is downloaded, this can trigger a system restart. If the currently
running configuration and the configuration in the downloaded configuration file differ, the
system restarts.
Make sure that the option "DHCP Client Configuration Request (Opt. 66, 67)" is no longer
set.
Requirement
● The connected devices are configured so that they obtain the IP address from a DHCP
server.
Description
The page contains the following boxes:
● DHCP Server
Enable or disable the DHCP server on the device.
Note
To avoid conflicts with IPv4 addresses, only one device may be configured as a DHCP
server in the network.
Note
If there are devices in your network on which the echo service is disabled as default,
there may be conflicts with the IPv4 addresses. To avoid this, assign these devices an
IPv4 address outside the IPv4 address band.
Note
If you enable the IPv4 address band, its settings in this and the other DHCP tabs are
grayed out and can no longer be edited.
● Subnet
Enter the network address range that will be assigned to the devices. Use the CIDR
notation.
● Lower IP Address
Enter the IPv4 address that specifies the start of the dynamic IPv4 address band. The
IPv4 address must be within the network address range you configured for "Subnet".
● Upper IP address
Enter the IPv4 address that specifies the end of the dynamic IPv4 address band. The
IPv4 address must be within the network address range you configured for "Subnet".
● Lease Time (sec)
Specify for how many seconds the assigned IPv4 address remains valid. When half the
period of validity has elapsed. the DHCP client can extend the period of the assigned
IPv4 address. When the entire time has elapsed, the DHCP client needs to request a new
IPv4 address.
Description
The page contains the following boxes:
● Pool ID
Select the required address band.
● Option Code
Enter the number of the required DHCP option.
Note
DHCP options supported
The DHCP options 1, 2, 3, 4, 5, 6, 42, 66, 67 are supported.
The DHCP options 1, 3, 6, 66 and 67 are created automatically when the IPv4 address
band is created. With the exception of option 1, the options can be deleted.
The table has the following columns:
● Select
Select the check box in the row to be deleted
● Pool ID
Shows the number of the address band.
● Option Code
Shows the number of the DHCP option.
● Use Interface IP
Specify whether or not the internal IP address of the device will be used.
● Value
Enter the DHCP parameter that is transferred to the DHCP client. The content depends
on the DHCP option.
Description
The page contains the following boxes:
● Pool ID
Select the required address band.
● Client Identification Method
Select the method according to which a client is identified.
– Ethernet MAC
Identification is based on the MAC address. Enter the MAC address in "Value". A
MAC address consists of six byes separated by hyphens in hexadecimal notation, e.g.
00-ab-1d-df-b4-1d.
– Client ID
Identification is based on a freely defined DHCP client ID. Enter the required
designation in "Value".
– DUID
Identification is based on the DUID and IAID. Enter the required designation in "Value"
e.g. 00-00-01-C2-00-01-00-01-00-00-00-72-00-1B-1B-B6-32-9D.
● Value
Enter the required value. The entry depends on the selected identification method of the
client.
Note
A maximum of 20 entries are possible.
Note
Common Remote Service Platform (cRSP) / Siemens Remote Service (SRS) is a remote
maintenance platform via which remote maintenance access is possible.
To use the platform, additional service contracts are necessary and certain constraints must
be kept to. If you are interested in cRSP / SRS, call your local Siemens contact or visit Web
page (https://support.industry.siemens.com/cs/gb/en/sc/2281).
On this page, you configure the access data for the SRS / cRSP acc. to URI syntax. The
Uniform Resource Identifier (URI) is defined in RFC 3986.
Description
The page contains the following boxes:
● Enable DDNS for cRSP / SRS
Enable or disable the use of cRSP / SRS.
● Update Interval
Enter the time interval.
● Validate Server Certificate
When enabled, the device checks the validity of the received server certificate.
The table has the following columns:
● Index
The number of the entry.
● Select
Select the check box in the row to be deleted.
● Scheme
Identifies the access method and the resource type.
https: Secure access to a Web page.
● Authority
Contains the address of the destination server
● Path
Contains the target path to the resource. The target path can correspond to a directory
name or file name.
● Query
A query can contain parameter values for an application.
– WAN_IP (keyword): Replaces WAN_IP with current external IP address of the device
to the destination server.
● Frag.
Addresses local parts of the resource, e.g. the anchor attribute of a Web page.
● Status
Shows the status of the last cRSP / SRS access of the entry.
● Enabled
When enabled, this entry is used.
Description
● Proxy Name
Enter a name for the proxy server.
The table has the following columns:
● Select
Select the check box in the row to be deleted.
● Name
Shows the name of the proxy server.
● Address
Enter the IPv4 address of the proxy server.
● Type
Specify the type of the proxy server.
– HTTP: Proxy server only for access using HTTP.
– SOCKS: Universal proxy server
● Port
Enter the port on which the proxy service runs.
● Auth. Method
Specify the authentication method.
– None
Without authentication
– Basic
Standard authentication. User name and password are sent unencrypted.
– NTLM (NT LAN Manager)
Authentication according to the NTLM standard (Windows user logon)
● User Name
Enter the user name for access to the proxy server.
● Password
Enter the password for access to the proxy server.
● Password Confirmation
Enter the password again to confirm it.
4.5.20 SINEMA RC
On the WBM page, you configure the access to the SINEMA RC server.
Note
This function can only be used with a KEY PLUG (Page 25).
Description
The page contains the following:
● Enable SINEMA RC
– Enabled:
A connection to the configured SINEMA RC Server is established. These boxes
cannot be edited.
– Disabled:
The boxes can be edited. Any existing connection is terminated.
"Server settings" area
● SINEMA RC Address
Enter the IPv4 address or the DNS host name of the SINEMA RC Server.
● SINEMA RC Port
Enter the port via which the SINEMA RC Server can be reached.
"Server Verification" area
● Verification Type
– Fingerprint: The identity of the server is verified based on the fingerprint.
– CA certificate: The identity of the server is verified based on the CA certificate.
● Fingerprint
Only necessary with the setting "Fingerprint". Enter the fingerprint of the device. The
fingerprint is assigned during commissioning of the SINEMA RC Server. Based on the
fingerprint, the device checks whether the correct SINEMA RC Server is involved. You
will find further information on this in the Operating Instructions of the SINEMA RC
Server.
● CA Certificate
Only necessary with the setting "CA Certificate". Select the CA certificate of the server
used to sign the server certificate. Only loaded CA certificates can be selected.
"Device Credentials" area
● Device ID
Enter the device ID. The device ID is assigned when configuring the device on the
SINEMA RC Server. You will find further information on this in the Operating Instructions
of the SINEMA RC Server.
● Device Password
Enter the password with which the device logs on to the SINEMA RC Server. The
password is assigned when configuring the device on the SINEMA RC Server. You will
find further information on this in the Operating Instructions of the SINEMA RC Server.
● Device Password Confirmation
Repeat the password.
Note
Cloud Connector via SINEMA RC (only with SCALANCE M804PB)
• Standard port 9023
The firewall rule is created automatically for the standard port. Communication with
the TIA Portal Cloud Connector is possible via this port.
• Any port
If you change the standard port, you must configure the following firewall rule:
Security > Firewall > IP service:
– Service name: "SINEMARC“
– Transport: TCP
– Source port: *
– Destination port: Port of the TIA Portal Cloud Connector, see "System > Cloud
Connector"
Security > Firewall > IP rules:
– Protocol: IPv4
– Action: Accept
– From: SINEMA RC
– To: Device
– Source (Range): SINEMA RC Address
– Destination (Range): 0.0.0.0/0
– Services: SINEMARC
● Type of connection
Specify the type of VPN connection. For more detailed information, refer to the section
"VPN connection establishment".
– Auto
The device adopts the settings of the SINEMA RC Server. You configure the settings
on the SINEMA RC Server in "Remote connections > Devices". You will find further
information on this topic in the operating instructions "SINEMA RC Server".
– Permanent
The settings of the SINEMA RC Server are ignored. The device establishes a VPN
connection to the SINEMA RC Server. The VPN tunnel is established permanently
– Wake-up SMS (only with M87x)
The settings of the SINEMA RC Server are ignored. When the device receives a
command SMS message (wake-up SMS message), it attempts to establish a
connection to the SINEMA RC Server. On condition that in "System > SMS > SMS
Command" it is specified who a command SMS of the class "System" will be accepted
from.
– Digital Input
The settings of the SINEMA RC Server are ignored. If the "Digital In" event occurs, the
device attempts to establish a VPN connection to the SINEMA RC Server. This is on
condition that the event "Digital Input" is forwarded to the VPN connection. To do this
in "System > Events> Configuration" activate "VPN Tunnel" for the "Digital In" event.
– Digital In & Wake-up SMS (only with M87x)
The settings of the SINEMA RC Server are ignored. If the "Digital In" event occurs or
when the device receives an SMS command, it attempts to establish a VPN
connection to the SINEMA RC Server.
● Use Proxy
Specify whether a connection to the defined SINEMA RC Server is established via a
proxy server. Only the proxy servers can be selected that you configured in "System >
Proxy Server".
● Autoenrollment Interval [min]
Specify the period of time in minutes after which queries are sent to the SINEMA RC
Server. With this query, the device checks whether there is a newer firmware file on the
SINEMA RC server or whether the connection settings have changed.
If you enter the value 0, this function is disabled.
4.6.1 Ethernet
4.6.1.1 Overview
The page shows the configuration for the data transfer for all ports of the device. You cannot
configure anything on this page.
Description
The table has the following columns:
● Port
Shows the configurable ports. The entry is a link. If you click on the link, the
corresponding configuration page is opened.
● Port Name
Shows the name of the port.
● Port Type (only with routing)
Shows the type of the port. The following types are possible:
– Switch Port VLAN Hybrid
– Switch Port VLAN Trunk
● Status
Shows whether the port is on or off. Data traffic is possible only over an enabled port.
● OperState
Displays the current operational status. The operational status depends on the configured
"Status" and the "Link". The available options are as follows:
– Up
You have configured the status "enabled" for the port and the port has a valid
connection to the network.
– Down
You have configured the status "disabled" or "Link down" for the port or the port has
no connection.
● Link
Shows the connection status to the network. With the connection status, the following is
possible:
– Up
The port has a valid link to the network, a link integrity signal is being received.
– Down
The link is down, for example because the connected device is turned off.
● Mode
Shows the transfer parameters of the port.
● Negotiation
Shows whether the automatic configuration is enabled or disabled.
● MAC Address
Shows the MAC address of the port.
4.6.1.2 Configuration
Configuring ports
With this page, you can configure all the ports of the device.
Description
● Port
Select the port to be configured from the drop-down list.
● Status
Specify whether the port is enabled or disabled.
– enabled
The port is enabled. Data traffic is possible only over an enabled port.
– disabled
The port is disabled but the connection remains.
Note
Turn off unused ports.
– link down
The port is disabled and the connection to the partner device is terminated.
● Port Name
Here, enter a name for the port.
● MAC Address
Shows the MAC address of the port.
● Mode Type
From this drop-down list, select the transmission speed and the transfer mode of the port.
The following settings are possible:
– 10 Mbps full duplex (FD) or half duplex (HD)
– 100 Mbps full duplex (FD) or half duplex (HD)
– Auto negotiation
If you set the mode to "Auto negotiation", these parameters are automatically negotiated
with the connected end device or network component. This must also be in the
"Autonegotiation" mode.
Note
Before the port and partner port can communicate with each other, the settings must
match at both ends.
● Mode
Shows the transmission speed and the transmission mode of the port. The display
depends on the set "Mode Type".
● Negotiation
Shows whether the automatic configuration of the connection to the partner port is
enabled or disabled.
● Port Type
Select the type of port from the drop-down list.
– Switch Port VLAN Hybrid
The port sends tagged and untagged frames. It is not automatically a member of a
VLAN.
– Switch-Port VLAN Trunk
The port only sends tagged frames and is automatically a member of all VLANs.
● OperState
Displays the current operational status. The operational status depends on the configured
"Status" and the "Link". The available options are as follows:
– Up
You have configured the status "enabled" for the port and the port has a valid
connection to the network.
– Down
You have configured the status "disabled" or "Link down" for the port or the port has
no connection.
● Link
Shows the physical connection status to the network. The available options are as
follows:
– Up
The port has a valid link to the network, a link integrity signal is being received.
– Down
The link is down, for example because the connected device is turned off.
4.6.2 PPP
4.6.2.1 Overview
This page shows the current status of the PPP connection.
● Type
Shows the protocol of the PPP connection.
● Operation
Shows whether the PPP connection is activated or deactivated.
● Status
Shows the status of the PPP connection.
– Ready
The PPP connection can be configured and enabled.
– Connecting
The PPP connection is configured, enabled and the connection is being established.
– Connected
The PPP connection is established.
– Error
Error status in which operator intervention is required, e.g. wrong password.
4.6.2.2 Configuration
On this page, you configure the PPP connection. The point-to-point protocol (PPP) allows
the connection of an external ADSL modem to an Ethernet interface and via this then a
connection to the Internet. The interface is also called PPP interface.
The device acts as a router and logs in with the user name and password. All connected
devices can use the PPP connection.
Description
The page contains the following:
● Interface
Select the PPP interface to be configured.
● Name
Shows the name of the PPP interface. You can change the name in "Layer 3 > Subnets".
● Type
Specify the protocol for the PPP connection.
– PPPoE (Point-to-Point over Ethernet)
The PPP data is encapsulated in an Ethernet frame.
● Operation
Specify whether the PPP connection is activated or deactivated.
● L2 Interface
Specify the interface via which the PPP connection is established. Only VLANs with a
configured subnet can be selected.
● User Name
Enter the user name. You will receive the user name from the DSL provider.
● Password
Enter the password. You will receive the password from the DSL provider.
● Password Confirmation
Repeat the password.
● Forced Disconnect
After a certain time, the DSL provider terminates the connection. Enable this option if you
want to shift the forced disconnect of your provider to a specific time of day, for example
at night outside normal office hours.
● Time for Forced Disconnect
Specify the time of day to which you want to shift the forced disconnect of the DSL
provider. This is only possible if the correct system time is set on the device.
Input format: HH:MM
Procedure
1. Specify how the PPP interface obtains the IP address. The following options are
available:
– Dynamic
Activate the DHCP function on the PPP interface. You can configure this setting in
"Layer 3 > Subnets > Configuration".
Note
• With the subnets, a maximum of one interface can have a dynamic IP
configuration.
– Static IP address
Deactivate the DHCP function on the PPP interface. Enter the IP address and the
subnet mask.
2. Configure the PPP interface.
3. Select "Enabled" for operation to activate the PPP interface.
4. Click "Set Values" to adopt the settings.
Configuring layer 2
On this page, you create a basic configuration for the functions of layer 2.
Description
● Passive Listening
When enabled the function ensures that the BPDUs from the RSTP network are
forwarded transparently and return again. If this was not the case, loops would form at
the connection point between RSTP and the ring.
4.7.2 VLAN
4.7.2.1 General
Note
Changing the Agent VLAN ID
If the configuration PC is connected directly to the device via Ethernet and you change the
agent VLAN ID, the device is no longer reachable via Ethernet following the change.
Description
The page contains the following boxes:
● Base Bridge Mode
Note
Changing Base bridge mode
Note the section "Changing Base bridge mode" in this chapter. This section describes
how a change affects the existing configuration.
Select the required mode from the drop-down list. The following modes are possible:
– 802.1Q VLAN Bridge
Sets the mode "VLAN-aware" for the device. In this mode, VLAN information is taken
into account.
– 802.1D Transparent Bridge
Sets the mode "VLAN-unaware" for the device. In this mode, VLAN tags are not taken
into account or changed but are forwarded transparently. In this mode, you cannot
create any VLANs. Only a management VLAN is available: VLAN 1.
● VLAN ID
Enter the VLAN ID in the "VLAN ID" input box.
Range of values: 1 ... 4094
The table has the following columns:
● Select
Select the row you want to delete.
● VLAN ID
Shows the VLAN ID. The VLAN ID (a number between 1 and 4094) can only be assigned
once when creating a new data record and can then no longer be changed. To make a
change, the entire data record must be deleted and created again.
● Name
Enter a name for the VLAN. The name only provides information and has no effect on the
configuration. The length is a maximum of 32 characters.
● Status
Shows the status type of the entry in the internal port filter table. Here, "Static" means that
the VLAN was entered statically by the user.
● List of ports
Specify the use of the port. The following options are available:
– "-"
The port is not a member of the specified VLAN.
With a new definition, all ports have the identifier "-".
– M
The port is a member of the VLAN. Frames sent in this VLAN are forwarded with the
corresponding VLAN tag.
– U (uppercase)
The port is an untagged member of the VLAN. Frames sent in this VLAN are
forwarded without the VLAN tag. Frames without a VLAN tag are sent from this port.
– u (lowercase)
The port is an untagged member of the VLAN, but the VLAN is not configured as a
port VLAN. Frames sent in this VLAN are forwarded without the VLAN tag.
– F
The port is not a member of the specified VLAN and cannot become a member of this
VLAN even if it is configured as a trunk port.
– T
This option is only displayed and cannot be selected in the WBM.
This port is a trunk port making it a member in all VLANs.
You configure this function in the CLI (Command Line Interface) using the "switchport
mode trunk" command or in the WBM under "Interfaces > Ethernet > Configuration".
Procedure
Requirement:
For Base Bridge mode "802.1Q VLAN Bridge" is set
Creating a new VLAN
1. Enter an ID in the "VLAN ID" input box.
2. Click the "Create" button. A new entry is generated in the table. As default, the boxes
have "-" entered.
3. Enter a name for the VLAN under Name.
4. Specify the use of the port in the VLAN. If, for example you select M, the port is a
member of the VLAN. The frame sent in this VLAN is forwarded with the corresponding
VLAN tag.
5. Specify the mode of the device.
6. Click the "Set Values" button.
Description
Table 1 has the following columns:
● All ports
Shows that the settings are valid for all ports of table 2.
● Priority / Port VID / Acceptable Frames / Ingress Filtering
In the drop-down list, select the setting for all ports. If "No Change" is selected, the entries
of the corresponding column in table 2 remain unchanged.
● Copy to Table
If you click the button, the setting is adopted for all ports of table 2.
Table 2 has the following columns:
● Port
Shows the available ports.
● Priority
Select the required priority assigned to untagged frames.
The CoS priority (Class of Service) used in the VLAN tag. If a frame is received without a
tag, it will be assigned this priority. This priority specifies how the frame is further
processed compared with other frames.
There are a total of eight priorities with values 0 to 7, where 7 represents the highest
priority (IEEE 802.1p Port Priority).
● Port VID
Select the required VLAN ID. Only VLAN IDs defined in "VLAN > General" can be
selected.
If a received frame does not have a VLAN tag, it has a tag with the VLAN ID specified
here added to it and is sent according to the rules at the port.
● Acceptable Frames
Specify which types of frames will be accepted. The following alternatives are possible:
– Tagged Frames Only
The device discards all untagged frames. Otherwise, the forwarding rules apply
according to the configuration.
– All
The device forwards all frames.
● Ingress Filtering
Specify whether the VID of received frames is evaluated.
You have the following options:
– Enabled
The VLAN ID of received frames decides whether they are forwarded: To forward a
VLAN tagged frame, the receiving port must be a member in the same VLAN. Frames
from unknown VLANs are discarded at the receiving port.
– Disabled
All frames are forwarded.
Steps in configuration
1. In the row of the port to be configured, click on the relevant cell in the table to configure it.
2. Enter the values to be set in the input boxes as follows.
3. Select the values to be set from the drop-down lists.
4. Click the "Set Values" button.
Note
Rounding of the values, deviation from desired value
When you input the Aging Time, note that it is rounded to correct values. If you enter a
value that cannot be divided by 15, the value is automatically rounded down.
Steps in configuration
1. Select the "Dynamic MAC Aging" check box.
2. Enter the time in seconds in the "Aging Time[s]" input box.
3. Click the "Set Values" button.
4.7.4.1 General
This is the basic page for spanning tree. As default, Rapid Spanning Tree is enabled.
Description
The page contains the following boxes:
● Spanning Tree
Enable or disable spanning tree.
● Protocol Compatibility
The following setting is available:
– RSTP
Procedure
1. Select the "Spanning Tree" check box.
2. Click the "Set Values" button.
4.7.4.2 ST general
The page consists of the following parts.
● The left-hand side of the page shows the configuration of the device.
● The right-hand part shows the configuration of the root bridge that can be derived from
the spanning tree frames received by a device.
Description
The page contains the following boxes:
● Bridge Priority / Root Priority
Which device becomes the root bridge is decided by the bridge priority. The bridge with
the highest priority (in other words, with the lowest value for this parameter) becomes the
root bridge. If several devices in a network have the same priority, the device whose MAC
address has the lowest numeric value will become the root bridge. Both parameters,
bridge priority and MAC address together form the bridge identifier. Since the root bridge
manages all path changes, it should be located as centrally as possible due to the delay
of the frames.
The value for the bridge priority is a whole multiple of 4096. Range of values: 0 - 61440
● Bridge Address / Root Address
The bridge address shows the MAC address of the device and the root address shows
the MAC address of the root bridge.
● Root port
Shows the port via which the switch communicates with the root bridge.
● Root Cost
The path costs from this device to the root bridge.
● Topology Changes / Last Topology Change
The entry for the device shows the number of reconfiguration actions due to the spanning
tree mechanism since the last startup. For the root bridge, the time since the last
reconfiguration is displayed as follows:
– Seconds: Unit "sec" after the number
– Minutes: Unit min after the number
– Hours: Unit hr after the number
● Bridge hello time [s] / Root hello time [s]
Each bridge sends configuration frames (BPDUs) regularly. The interval between two
configuration frames is the "Hello Time".
Factory setting: 2 seconds
● Bridge Forward Delay[s] / Root Forward Delay[s]
New configuration data is not used immediately by a bridge but only after the period
specified in the Forward Delay parameter. This ensures that operation is only started with
the new topology after all the bridges have the required information.
Factory setting: 15 seconds
● Bridge Max Age[s] / Root Max Age[s]
If the BPDU is older than the specified "Max Age" it is discarded.
Factory setting: 20 seconds
● Reset Counters
Click this button to reset the counters on this page.
4.7.4.3 ST port
When the page is called, the table displays the current status of the configuration of the port
parameters.
To configure them, click the relevant cells in the port table.
Description
Table 1 has the following columns:
● All ports
Shows that the settings are valid for all ports of table 2.
● Spanning Tree Status
In the drop-down list, select the setting for all ports. If "No Change" is selected, the entries
of the corresponding column in table 2 remain unchanged.
● Copy to Table
If you click the button, the setting is adopted for all ports of table 2.
Table 2 has the following columns:
● Port
Shows the available ports.
● Spanning Tree Status
Specify whether or not the port is integrated in the spanning tree.
Note
If you disable the "Spanning Tree Status" option for a port, this may cause the formation
of loops. The topology must be kept in mind.
● Priority
Enter the priority of the port. The priority is only evaluated when the path costs are the
same.
The value must be divisible by 16. If the value that cannot be divided by 16, the value is
automatically adapted.
Range of values: 0 - 240.
The default is 128.
● Cost Calc.
Enter the path cost calculation. If you enter the value "0" here, the automatically
calculated value is displayed in the "Path costs" box.
● Path Cost
This parameter is used to calculate the path that will be selected. The path with the
lowest value is selected as the path. If several ports of a device have the same value for
the path costs, the port with the lowest port number is selected.
If the value in the box "Cost Calc." is "0", the automatically calculated value is shown.
Otherwise, the value of the "Cost Calc." box is displayed.
The calculation of the path costs is largely based on the transmission speed. The higher
the achievable transmission speed is, the lower the value of the path costs.
Typical values for path costs with rapid spanning tree:
– 10,000 Mbps = 2,000
– 1000 Mbps = 20,000
– 100 Mbps = 200,000
– 10 Mbps = 2,000,000
The values can, however, also be set individually.
● Status
Displays the current status of the port. The values are only displayed and cannot be
configured. The "Status" parameter depends on the configured protocol. The following
values are possible:
–
Disabled
The port only receives and is not involved in STP, MSTP and RSTP.
– Discarding
In the "Discarding" mode, BPDU frames are received. Other incoming or outgoing
frames are discarded.
– Listening
In this status, BPDUs are both received and sent. The port is involved in the spanning
tree algorithm.
–
Learning
Stage prior to the "Forwarding" status, the port is actively learning the topology (in
other words, the node addresses).
–
Forwarding
Following the reconfiguration time, the port is active in the network; it receives and
forwards data frames.
● Fwd. Trans
Specifies the number of changes from the "Discarding" status to the "Forwarding" status.
● Edge Type
Specify the type of "edge port". You have the following options:
– "-"
Edge port is disabled. The port is treated as a "no Edge Port".
– Admin
Select this option when there is always an end device on this port. Otherwise a
reconfiguration of the network will be triggered each time a connection is changed.
– Auto
Select this option if you want a connected end device to be detected automatically at
this port. When the connection is established the first time, the port is treated as a "no
Edge Port".
– Admin/Auto
Select these options if you operate a combination of both on this port. When the
connection is established the first time, the port is treated as an "Edge Port".
● Edge
Shows the status of the port.
– Enabled
An end device is connected to this port.
– Disabled
There is a Spanning Tree or Rapid Spanning Tree device at this port.
With an end device, a switch can change over the port faster without taking into account
spanning tree frames. If a spanning tree frame is received despite this setting, the port
automatically changes to the "Disabled" setting.
● P.t.P. Type
Select the required option from the drop-down list. The selection depends on the port that
is set.
– "-"
Point to point is calculated automatically. If the port is set to half duplex, a point-to-
point link is not assumed.
– P.t.P.
Also with half duplex, a point-to-point link is assumed.
–
Shared Media
Even with a full duplex connection, a point-to-point link is not assumed.
Note
Point-to-point link means a direct connection between two devices. A shared media
connection is, for example, a connection to a hub.
4.7.5 LLDP
Applications
PROFINET uses LLDP for topology diagnostics. In the factory setting, LLDP is enabled for
all available ports; in other words, LLDP frames are sent on the ports.
The information sent is stored on every device with LLDP capability in an LLDP MIB file.
Network management systems can access these LLDP MIB files using SNMP and therefore
recreate the existing network topology. In this way, an administrator can find out which
network components are connected to each other and can localize disruptions.
On this page, you have the option of enabling or disabling sending and/or receiving per port.
Description
Table 1 has the following columns:
● All Ports
Shows that the settings are valid for all ports.
● Setting
Select the setting from the drop-down list. If "No Change" is selected, the entry in table 2
remains unchanged.
● Copy to Table
If you click the button, the setting is adopted for all ports of table 2.
Table 2 has the following columns:
● Port
Shows the available ports.
● Setting
Specify the LLDP functionality. The following options are available:
– Rx
This port can only receive LLDP frames.
– Tx
This port can only send LLDP frames.
– Rx & Tx
This port can receive and send LLDP frames.
– "-" (disabled)
This port can neither receive nor send LLDP frames.
Procedure
1. Select the LLDP functionality of the port from the "Setting" drop-down list.
2. Click the "Set Values" button.
Description
The page contains the following boxes:
● Destination Network
Enter the network address of the destination that can be reached via this route.
● Subnet Mask
Enter the corresponding subnet mask.
● Interface
Specify whether the network address can be reached via a certain interface or via the
gateway (auto).
● Gateway
Enter the IPv4 address of the gateway via which this network address is reachable.
● Administrative Distance
Enter the metric for the route. The metric corresponds to the quality of a connection, for
example speed, costs. If there are several equal routes, the route with the lowest metric
value is used.
If you do not enter anything, "not used" is entered automatically. The metric can be
changed later.
Range of values: 1 - 255 or -1 for "not used".
Here, 1 is the value for the best possible route. The higher value, the longer packets
require to their destination.
Procedure
1. Enter the network address of the destination in the "Destination Network" input box.
2. Enter the corresponding subnet mask in the "Subnet Mask" input box.
3. For "Interface", select the entry "auto".
4. Enter the gateway in the "Gateway" input box.
5. Enter the weighting of the route in "Administrative Distance".
6. Click the "Create" button. A new entry is generated in the table.
7. Click the "Set Values" button.
4.8.2 Subnets
4.8.2.1 Overview
The page shows the subnets for the selected interface. A subnet always relates to an
interface and is created in the "Configuration" tab.
Description
The page contains the following box:
● Interface
Select the interface on which you want to configure another subnet.
The table has the following columns:
● Select
Select the row you want to delete.
● Interface
Shows the interface.
● TIA Interface
Shows the selected TIA interface.
● Interface Name
Shows the name of the interface.
● MAC Address
Shows the MAC address.
● IP Address
Shows the IPv4 address of the subnet.
● Subnet Mask
Shows the subnet mask.
● Address Type
Shows the address type. The following values are possible:
– Primary
The first IPv4 address that was configured on the IPv4 interface.
– Secondary
All other IPv4 addresses that were configured on the IPv4 interface.
● IP Assignment Method
Shows how the IPv4 address is assigned. The following values are possible:
– Static
The IPv4 address is static. You enter the settings in "IP Address" and "Subnet Mask".
– Dynamic (DHCP)
The device obtains a dynamic IPv4 address from a DHCPv4 server.
● Address Collision Detection Status
If new IPv4 addresses become active in the network, the "Address Collision Detection"
function checks whether this can result in address collisions. The allows IPv4 addresses
that would be assigned twice to be detected.
Note
The function does not run a cyclic check.
This column shows the current status of the function. The following values are possible:
– Idle
The interface is not enabled and does not have an IPv4 address.
– Starting
This status indicates the start-up phase. In this phase, the device initially sends a
query as to whether the planned IPv4 address already exists. If the address is not yet
been assigned, the device sends the message that it is using this IP address as of
now.
– Conflict
The interface is not enabled. The interface is attempting to use an IPv4 address
address that has already been assigned.
– Defending
The interface uses a unique IPv4 address. Another interface is attempting to use the
same IPv4 address.
– Active
The interface uses a unique IPv4 address. There are no collisions.
– Not supported
The function for detection of address collisions is not supported.
– Disabled
The function for detection of address collisions is disabled.
● MTU
Shows the packet size.
4.8.2.2 Configuration
On this page, you configure the subnet for the interface.
Description
The page contains the following:
● Interface (Name)
Select the interface from the drop-down list.
● Interface Name
Enter the name of the interface.
● MAC Address
Displays the MAC address of the selected interface.
● DHCP
Enable or disable the DHCP client for this IPv4 interface.
● IP Address
Enter the IPv4 address of the interface. The IPv4 addresses must not be used more than
once.
● Subnet Mask
Enter the subnet mask of the subnet you are creating. Subnets on different interfaces
must not overlap.
● Broadcast IP Address
If a specific IP address is to be used as the broadcast IP address of the subnet, enter
this. Otherwise the last IP address of the subnet will be used.
● Address Type
Shows the address type. The following values are possible:
– Primary
The first subnet of the interface.
– Secondary
All further subnets of the interface.
● TIA Interface
Select whether or not this interface should become the TIA Interface. The TIA interface
defines on which VLAN the PROFINET functionalities are available. This mainly affects
the device search with or via DCP.
● MTU
MTU (Maximum Transmission Unit) specifies the maximum size of the packet. If packets
are longer than the set MTU, they are fragmented. The MTU covers the IP header and
the headers of the higher layers.
The range of values is from 90 to 1500 bytes.
4.8.3 NAT
4.8.3.1 Masquerading
On this WBM page, you enable the rules for IP masquerading.
Description
The table has the following columns:
● Interface
Interface to which the setting relates. Only interfaces with a configured subnet are
available.
● Enable Masquerading
When enabled, with each outgoing data packet sent via this interface, the source IP
address is replaced by the IP address of the interface.
4.8.3.2 NAPT
On this WBM page, you can configure a port translation in addition to the address
translation.
The following port translations are possible:
● From a single port to the same port:
If the ports are the same, the frames will be forwarded without port translation.
● From a single port to a single port
The frames are translated to the port.
● From a port range to a single port
The frames from the port range are translated to the same port (n:1).
● From a port range to the same port range
If the port ranges are the same, the frames will be forwarded without port translation.
Description
The page contains the following boxes:
● Source Interface
Select the interface on which the queries will arrive.
● Traffic Type
Specify the protocol for which the address assignment is valid.
● Use Interface IP from Source Interface
When enabled, the IP address of the selected interface is used for "Dest IP Address".
● Destination IP Address
Enter the destination IP address. The frames are received at this IP address. Can only be
edited if "Use Interface IP from Source Interface" is disabled.
● Destination Port
Enter the destination port. Incoming frames with this port as the destination port are
forwarded. If the setting is intended to apply to a port range, enter the range with start
port "-" end port, for example 30 - 40.
● Translated Destination IP
Enter the IP address of the node to which this frame will be forwarded.
● Translated Destination Port
Enter the number of the port. This is the new destination port to which the incoming frame
will be forwarded. If the setting is intended to apply to a port range, enter the range with
start port "-" end port, for example 30 - 40.
Note
Firewall rule with source NAT
Address translation with source NAT was only performed after the firewall; the non-
translated addresses are therefore used.
Security > Firewall > IP rules
• Source (Range): Input from "Source IP Addresses"
• Destination (Range): Input from "Destination IP Addresses"
Description
● Source Interface / Destination Interface
Specify the direction of the connection establishment. Only connections established in
this specified direction are taken into account.
The virtual interfaces of VPN connections can also be selected:
– VLANx: VLANs with configured subnet
– ppp0 or usb0 (only with M876-4): WAN interface
– SINEMA RC: Connection to SINEMA RC Server
– IPsec: Either all IPsec VPN connections (all) or a specific IPsec VPN connection
– OpenVPN: Either all OpenVPN connections (all) or a specific OpenVPN connection
Note
When you configure a NAT address translation to or from the direction of the VPN tunnel,
only the IP addresses involved in the NAT address translation rules can be reached via
the VPN tunnel.
● Source IP Address(es)
Specify the source IP addresses for which this source NAT rule is valid. Only the packets
that correspond to the addresses entered are taken into account.
The following entries are possible:
– IP address: Applies precisely to the specified IP address.
– IP address range: Applies to a certain IP address range: Start IP address "-" End IP
address, e.g. 192.168.100.10 - 192.168.100.20
– IP subnet: Applies to several IPv4 addresses grouped together to form an IP address
range: IP address/number of bits of the network part (CIDR notation)
● Use Interface IP from Destination Interface
When enabled, the IP address of the selected destination interface is used in "Translated
Source IP Address".
4.8.3.4 NETMAP
On this WBM page, you specify the rules for NETMAP. NETMAP is static 1:1 mapping of
network addresses in which the host part is retained. For more information, refer to the
section "NAT and firewall (Page 49)".
Note
Firewall rule with source NAT
Address translation with source NAT was only performed after the firewall; the non-
translated addresses are therefore used.
Security > Firewall > IP rules
• Source (Range): Input from "Source IP Subnet"
• Destination (Range): Input from "Destination IP Subnet"
Firewall rule with destination NAT
Address translation with NAT was already performed before the firewall; the translated
addresses are therefore used in the firewall.
Security > Firewall > IP rules
• Source (Range): Input from "Source IP Subnet"
• Destination (Range): Input from "Translated Destination IP Subnet"
Description
● Type
Specify the type of address translation.
– Source: Replacement of the source IP address
– Destination: Replacement of the destination IP address
● Source Interface
Specify the source interface.
– VLANx: VLANs with configured subnet
– ppp0 or usb0 (only with M876-4): WAN interface
– SINEMA RC: Connection to SINEMA RC Server
– IPsec: Either all IPsec VPN connections (all) or a specific IPsec VPN connection
– OpenVPN: Either all OpenVPN connections (all) or a specific OpenVPN connection
● Destination Interface
Specify the destination interface.
– VLANx: VLANs with configured subnet
– ppp0 or usb0 (only with M876-4): WAN interface
– SINEMA RC: Connection to SINEMA RC Server
– IPsec: Either all IPsec VPN connections (all) or a specific IPsec VPN connection
– OpenVPN: Either all OpenVPN connections (all) or a specific OpenVPN connection
● Source IP Subnet
Enter the subnet of the sender.
The subnet can also be a single PC or another subset of the subnet. Use the CIDR
notation.
● Translated Source IP Subnet
Enter the subnet with which the subnet of the sender is replaced. Can only be edited with
the setting "Source".
The subnet can also be a single PC or another subset of the subnet. Use the CIDR
notation.
● Destination IP Subnet
Enter the subnet of the recipient.
The subnet can also be a single PC or another subset of the subnet. Use the CIDR
notation.
● Translated Destination IP Subnet
Enter the subnet with which the subnet of the recipient is replaced. Can only be edited
with the setting "Destination".
The subnet can also be a single PC or another subset of the subnet. Use the CIDR
notation.
● Bidirectional rule
When this is enabled, the NETMAP rule for the opposite direction is automatically created
when the NETMAP rule is created.
The NETMAP rules are not connected to one another after creation. This means that no
synchronization takes place between the NETMAP rules when they are changed or
deleted.
● Auto Firewall Rule
When this is enabled, the corresponding firewall rule is automatically created when the
NETMAP rule is created. These firewall rules are displayed under "Security > Firewall >
IP rules". If you change or delete the NETMAP rules, the corresponding firewall rules are
adjusted or deleted.
The table has the following columns:
● Select
Select the check box in the row to be deleted.
● Type
Shows the direction of the address translation.
● Source Interface
Shows the source interface.
● Destination Interface
Shows the destination interface.
● Source IP Subnet
Shows the subnet of the sender. This entry can be changed when necessary.
● Translated Source IP Subnet
Shows the subnet of the sender with which the subnet of the sender is replaced. This
entry can be changed when necessary.
● Destination IP Subnet
Shows the subnet of the recipient. This entry can be changed when necessary.
● Translated Destination IP Subnet
Shows the subnet of the recipient with which the subnet of the recipient is replaced. This
entry can be changed when necessary.
4.8.4 VRRPv3
4.8.4.1 Router
Introduction
Using the "Create" button, you can create new virtual routers. A maximum of 2 virtual routers
can be configured. You can configure other parameters on the "Configuration" tab.
Note
• You can use VRRPv3 on VLAN interfaces.
Requirement
For the incoming VRRP packets to be forwarded to the device, you must configure the
following firewall rule:
Security > Firewall > IP protocol:
● Protocol Name: "VRRP"
● Protocol Number: 112
Security > Firewall > IP rules:
● Protocol: IPv4
● Action: Accept
● From: <Interface>
● To: Device
● Source (Range): 0.0.0.0/0
● Destination (Range): 224.0.0.18/32
● Services: VRRP
Description
The page contains the following:
● VRRPv3
Enable or disable routing using VRRPv3.
● Reply to pings on virtual interfaces
When enabled, the virtual IPv4 addresses also reply to the ping.
● VRID-Tracking
Enable or disable VRID tracking.
When enabled, all VRRP instances are monitored. If the status of a VRRP instance
changes to "Initialize", the priority of all VRRP instances is reduced to the value "1".
If the status of a VRRP instance changes, the original priority of all VRRP instances is
restored.
● Interface
Select the required VLAN interface operating as virtual router.
● VRID
Enter the ID of the virtual router. This ID defines the group of routers that form a virtual
router (VR). In the group, this is the same. It can no longer be used for other groups.
Valid values are 1.. 255.
The table has the following columns:
● Select
Select the check box in the row to be deleted.
● Interface
Shows the Interface that functions as the virtual router.
● VRID
Shows the ID of the virtual router.
● Virtual MAC Address
Shows the virtual MAC address of the virtual router.
● Primary IP Address
Shows the numerically lowest IPv4 address in this VLAN. The entry 0.0.0.0 means that
the "Primary" address on this VLAN is used. Otherwise all IPv4 addresses configured on
this VLAN in the "Layer 3 (IPv4) > Subnets" menu are valid values.
● Router State
Shows the current status of the virtual router. Possible values are:
– Master
The router is the master router and handles the routing functionality for all assigned
IPv4 addresses.
– Backup
The router is the backup router. If the master router fails, the backup router takes over
the tasks of the master router.
– Initialize
The virtual router has just been turned on. It will soon change to the "Master" or
"Backup" status.
● Master IP Address
Shows the IPv4 address of the master router.
● Priority
Shows the priority of the virtual router.
Valid values are 1-254.
If an IPv4 address is assigned to the VRRP router that is also actually configured on the
local IPv4 interface, the value 255 is entered automatically. All other priorities can be
distributed freely among the VRRP routers. The higher the priority, the earlier the VRRP
router becomes "Master".
● Advert. Internal
Shows the interval at which the master router sends VRRPv3 packets.
● Preempt
Shows the precedence of a router when changing roles between backup and master.
– yes
This router has precedence when changing roles.
– no
This router does not have precedence when changing roles.
Procedure
1. Select the "VRRPv3" check box.
2. Select the required interface.
3. Enter the ID of the virtual router in the "VRID" input box.
4. Click the "Create" button. A new row is inserted in the table.
5. Select the "Reply to pings on virtual interfaces" check box so that virtual IPv4 addresses
reply to pings as well.
6. Select the "VRID Tracking" check box to monitor the VRID.
7. Click the "Set Values" button. To configure the virtual router, click on the "Configuration"
tab.
4.8.4.2 Configuration
Introduction
On this page, you configure the virtual router.
Description
The page contains the following:
● Interface / VRID
Select the ID of the virtual router to be configured.
● Primary Address
Select the primary IPv4 address. If the router becomes master router, the router uses this
IPv4 address.
Note
If you only configure one subnet on this VLAN, no entry is necessary. The entry is then
0.0.0.0.
If you configure more than one subnet on the VLAN and you want a specific IPv4 address
to be used as the source address for VRRP packets, select the IPv4 address. Otherwise,
the numerically lowest IPv4 address will be used.
● Master
When enabled, the numerically lowest IPv4 address is entered for "Associated IP
Address". This means that the numerically lowest IPv4 address of the VRRPv3 router is
used as the virtual IP address of the virtual master router. The backup routers in this
group must disable the option and use the IPv4 address of the router for "Associated IP
address".
● Priority
Enter the priority of this virtual router. Valid values are 1-254.
If an IPv4 address is assigned to the VRRPv3 router that is also actually configured on
the local IPv4 interface, the value 255 is entered automatically. All other priorities can be
distributed freely among the VRRPv3 routers. The higher the priority, the earlier the
VRRPv3 router becomes "Master".
● Advertisement interval
Enter the interval in seconds after which a master router sends a VRRPv3 packet again.
● Preempt lower priority Master
Allow precedence when changing roles between backup and master based on the
selection process.
● VRRP Compatible Mode
When enabled, the VRRPv3 router sends and receives VRRPv2 frames in addition to
VRRPv3 frames for configured IPv4 addresses. Only necessary when not all VRRP
routers support VRRPv3.
● Track ID
Select a track ID.
● Decrement Priority
Enter the value by which the priority of the VRRPv3 interface will be reduced.
● Current Priority
Shows the priority of the VRRPv3 interface after the monitored interface has changed to
the "down" status.
Procedure
To configure a virtual router as the master router, follow the steps below:
1. Select the ID of the virtual router you want to configure from the "Interface / VRID" drop-
down list.
2. Select the "Status" check box.
3. Select the source address from the "Primary Address" drop-down list.
4. From the "Priority" drop-down list, enter the priority of this virtual router.
5. Select the "Master" check box.
6. Enter the interval in "Advertisement Interval".
7. Select the "Preempt lower priority Master" check box.
8. Select the "VRRP Compatible Mode" check box.
9. Select a track ID.
10.Enter the value by which the priority of the VRRPv3 interface will be reduced
11.Click the "Set Values" button.
Overview
This page shows which IPv4 addresses the virtual router monitors. Each virtual router can
monitor on IPv4 address.
● Number of Addresses
Shows the number of IPv4 addresses.
● Associated IP Address (1) ...Associated IP Address (4)
Shows the router IPv4 addresses monitored by this virtual router. If a router takes over
the role of master, the routing function is taken over by this router for all these IPv4
addresses.
Description
The page contains the following:
● Interface / VRID
Select the ID of the virtual router.
● Associated IP Address
Enter the IPv4 address that the virtual router will monitor.
The table has the following columns:
● Select
Select the check box in the row to be deleted
● Associated IP Address
Shows the IPv4 addresses that the virtual router monitors.
Procedure
1. Select the ID of the virtual router.
2. Enter the IPv4 address that the virtual router will monitor.
3. Click the "Create" button. A new entry is generated in the table.
Introduction
On this page, you configure the monitoring of interfaces.
When the link of a monitored interface changes from "up" to "down", the priority of the
assigned VRRP interface is reduced. You configure the value by which the priority is
reduced on the page "Layer 3 > VRRPv3 > Configuration".
When the link of the interface changes back from "down" to "up", the original priority of the
VRRP interface is restored.
Description
The page contains the following boxes:
● Interface
From the drop-down list, select the interface to be monitored.
● Track ID
Enter a track ID.
● Track ID
Select a track ID.
● Track Interface Count
Enter how many monitored interfaces need to change to the "down" status, before the
priority is changed.
The table has the following columns:
● Select
Select the check box in the row to be deleted.
● Track ID
Shows the track ID.
● Interface
Shows the interface that is being monitored.
Procedure
1. Select the required interface from the "Interface" drop-down list.
2. In the "Track ID" box, enter the required ID.
3. Click the "Create" button.
4. Select an ID from the "Track-ID" drop-down list:
5. In the "Track Interface Count" enter the number of interfaces.
6. Click the "Set Values" button.
7. Link the monitoring to a VRRP interface in the "Configuration" tab.
4.9.1 Users
User accounts
On this page, you create local user accounts with the corresponding rights. To create a user
account, the logged on user must have the "admin" role.
Description
The page contains the following:
● User Account
Enter the name for the user. The name must meet the following conditions:
– It must be unique.
– It must be between 1 and 250 characters long.
– It must not contain the following characters: § ? " ; :
– The characters for Space and Delete also cannot be included.
Note
User name cannot be changed
After creating a user, the user name can no longer be modified.
If a user name needs to be changed, the user must be deleted and a new user created.
Note
User names: admin
You can configure the device with this user name.
When you log in for the first time or log in after a "Restore Factory Defaults and Restart",
you will be prompted to change the predefined password "admin". You can also rename
the "admin" user preset in the factory once. Afterwards, renaming "admin" is no longer
possible.
● Password Policy
Shows which password policy is being used.
– High
Password length: at least 8 characters, maximum 128 characters
At least 1 uppercase letter
At least 1 special character
At least 1 number
– Low
Password length: at least 6 characters, maximum 128 characters
You configure the password policy on the page "Security > Passwords > Options".
● Password
Enter the password. The strength of the password depends on the set password policy.
It must not contain the following characters: § and ß
● Password Confirmation
Enter the password again to confirm it.
● Role
Select a role.
You can choose between default and self-defined roles, refer to the page "Security >
Users > Roles.".
The table contains the following columns:
● Select
Select the check box in the row to be deleted.
Note
The users preset in the factory as well as logged in users cannot be deleted or changed.
● User Account
Shows the user name.
● Role
Shows the role of the user.
● Description
Displays a description of the user account. The description text can be up to 100
characters long.
● Remote access
– Only
Only remote access, which means no rights other than logging into the WBM page for
user-specific firewall.
– None
No remote access. The user cannot log on to the user-specific firewall, but only to the
WBM of the device.
– Additional
The user can log on to both the WBM of the device and the user-specific firewall.
Procedure
Note
Changes in "Trial" mode
Even if the device is in "Trial" mode, changes that you carry out on this page are saved
immediately.
Creating users
1. Enter the name for the user.
2. Enter the password for the user.
3. Enter the password again to confirm it.
4. Select the role of the user.
5. Click the "Create" button.
6. Enter a description of the user.
7. Click the "Set Values" button.
Deleting users
1. Select the check box in the row to be deleted.
2. Click the "Delete" button. The entries are deleted and the page is updated.
4.9.1.2 Roles
Roles
On this page, you create roles that are valid locally on the device.
Note
The values displayed depend on the rights of the logged-in user.
Description
The page contains the following:
● Role Name
Enter the name for the role. The name must meet the following conditions:
– It must be unique.
– It must be between 1 and 64 characters long.
Note
Role name cannot be changed
After creating a role, the name of the role can no longer be changed.
If a name of a role needs to be changed, the role must be deleted and a new role
created.
Note
Predefined roles and assigned roles cannot be deleted or modified.
● Role
Shows the name of the role.
● Function Right
Select the function rights of the role.
– 1
Users with this role can read device parameters but cannot change them. Users with
this role can change their own password.
– 15
Users with this role can both read and change device parameters.
Note
Function right cannot be changed
If you have assigned a role, you can no longer change the function right of the role.
If you want to change the function right of a role, follow the steps outlined below:
1. Delete all assigned users.
2. Change the function right of the role:
3. Assign the role again.
● Description
Enter a description for the role. With predefined roles a description is displayed. The
description text can be up to 100 characters long.
Procedure
Creating a role
1. Enter the name for the role.
2. Click the "Create" button.
3. Select the function rights of the role.
4. Enter a description of the role.
5. Click the "Set Values" button.
Deleting a role
1. Select the check box in the row to be deleted.
2. Click the "Delete" button. The entries are deleted and the page is updated.
4.9.1.3 Groups
User groups
On this page you link a group with a role.
In this example the group "Administrators" is linked to the "admin" role: The group is defined
on a RADIUS server. The role is defined locally on the device. When a RADIUS server
authenticates a user and assigns the user to the "Administrators" group, this user is given
rights of the "admin" role.
Note
The values displayed depend on the rights of the logged-in user.
Description
The page contains the following:
● Group Name
Enter the name of the group. The name must match the group on the RADIUS server.
The name must meet the following conditions:
– It must be unique.
– It must be between 1 and 64 characters long.
– The following are not permitted: § ? " ; :
The table contains the following columns:
● Select
Select the check box in the row to be deleted.
● Group
Shows the name of the group.
● Role
Select a role. Users who are authenticated with the linked group on the RADIUS server
receive the rights of this role locally on the device.
You can choose between system-defined and self-defined roles, refer to the page
"Security > Users > Roles.".
● Description
Enter a description for the link of the group.to a role. The description text can be up to
100 characters long.
Procedure
Linking a group to a role.
1. Enter the name of a group.
2. Click the "Create" button.
3. Select a role.
4. Enter a description for the link of a group.to a role.
5. Click the "Set Values" button.
Deleting the link between a group and a role
1. Select the check box in the row to be deleted.
2. Click the "Delete" button. The entries are deleted and the page is updated.
4.9.2 Passwords
A user with the "admin" role can change the password of already created users. With the
"user" role, users can only change their own password.
Description
The page contains the following:
● Current User
Shows the user that is currently logged in.
● Current User Password
Enter the password for the currently logged in user.
● User Account
Select the user whose password you want to change.
● Password Policy
Shows which password policy is being used when assigning new passwords.
– High
Password length: at least 8 characters, maximum 128 characters
At least 1 uppercase letter
At least 1 special character
At least 1 number
– Low
Password length: at least 6 characters, maximum 128 characters
● New Password
Enter the new password for the selected user.
It must not contain the following characters: § and ß
Note
When you log in for the first time or log in after a "Restore Factory Defaults and Restart",
you will be prompted to change the predefined password "admin". You can also rename
the "admin" user preset in the factory once. Afterwards, renaming "admin" is no longer
possible.
The factory setting for the password when the devices ship is as follows:
• admin: admin
Note
Changing the password in Trial mode
Even if you change the password in Trial mode, this change is saved immediately.
● Password Confirmation
Enter the new password again to confirm it.
4.9.3 AAA
4.9.3.1 General
Description
The page contains the following boxes:
Note
To be able to use the login authentication "RADIUS", "Local and RADIUS" or "RADIUS and
fallback Local" a RADIUS server must be stored and configured for user authentication.
● Login Authentication
Specify how the login is made:
– Local
The authentication must be made locally on the device.
– RADIUS
The authentication must be handled via a RADIUS server.
– Local and RADIUS
The authentication is possible both with the users that exist on the device (user name
and password) and via a RADIUS server.
The user is first searched for in the local database. If the user does not exist there, a
RADIUS request is sent.
– RADIUS and fallback Local
The authentication must be handled via a RADIUS server.
A local authentication is performed only when the RADIUS server cannot be reached
in the network.
● Test
With this button, you can test whether or not the specified RADIUS server is available.
The test is performed once and not repeated cyclically.
● Test Result
Shows whether or not the RADIUS server is available:
– Not reachable
The IP address is not reachable.
The IP address is reachable, the RADIUS server is, however, not running.
– Reachable, key not accepted
The IP address is reachable, the RADIUS server does not, however accept the shared
secret.
– Reachable, key accepted
The IP address is reachable, the RADIUS server accepts the specified shared secret.
Procedure
Entering a new server
1. Click the "Create" button. A new entry is generated in the table.
The following default values are entered in the table:
– RADIUS Server Address: 0.0.0.0
– Server Port: 1812
– Max. Retrans.: 3
– Primary server: No
2. In the relevant row, enter the following data in the input boxes:
– RADIUS Server Address
– Server Port
– Shared Secret
– Shared Secret Conf
– Max. Retrans.: 3
– Primary server: No
3. If necessary check the reachability of the RADIUS server.
4. Click the "Set Values" button.
Repeat this procedure for every server you want to enter.
Modifying servers
1. In the relevant row, enter the following data in the input boxes:
– RADIUS Server Address
– Server Port
– Shared Secret
– Shared Secret Conf
– Max. Retrans.
– Primary Server
2. If necessary check the reachability of the RADIUS server.
3. Click the "Set Values" button.
Repeat this procedure for every server whose entry you want to modify
Deleting servers
1. Click the check box in the first column before the row you want to delete to select the
entry for deletion.
Repeat this for all entries you want to delete.
2. Click the "Delete" button. The data is deleted from the memory of the device and the
page is updated.
4.9.4 Certificates
4.9.4.1 Overview
All loaded files (certificates and keys) are shown on this WBM page. You have the following
options for loading files on the device:
● System > Load&Save > HTTP
● System > Load&Save > TFTP
● System > Load&Save > SFTP
Description
● Select
Select the check box in the row to be deleted. Only unused certificates can be deleted.
● Type
Shows the type of the loaded file.
– CA Cert
The CA certificate is signed by a CA (Certification Authority).
– Machine certificate
– Key File
– Remote Cert
Partner certificate
● Filename
Shows the file name.
● Status
Shows whether the certificate is valid or has already expired.
● Subject DN
Shows the name of the applicant.
● Issuer DN
Shows the name of the certificate issuer.
● Issue Date
Shows the start of the period of validity of the certificate
● Expiry Date
Shows the end of the period of validity of the certificate.
● Used
Shows which function uses the certificate.
4.9.4.2 Certificates
The format of the certificate is based on X.509, a standard of the ITU-T for creating digital
certificates. This standard describes the schematic structure of X509 certificates. You will
find further information on this on the Internet at "http://www.itu.int".
On this WBM page, the content of the following structure elements can be displayed. If the
structure element does not exist or is not completed in the selected certificate, nothing is
shown in the box on the right. Certain entries can only be edited if they are supported.
Description
● Filename
Select the required certificate.
● Type
Shows the type of the loaded file.
– CA Cert
The CA certificate is signed by a CA (Certification Authority).
– Machine certificate
– Key File
– Remote Cert
Partner certificate
● DN
Shows the name of the applicant.
● Issuer DN
Shows the name of the certificate issuer.
● Subject Alternate Name
If it exists, an alternative name of the applicant is displayed.
● Issue Date
Shows the start of the period of validity of the certificate
● Expiry Date
Shows the end of the period of validity of the certificate.
● Serial Number
Shows the serial number of the certificate.
● Used
Shows which function uses the certificate.
● Crypto Algorithm
Shows which cryptographic method is used.
● Key Usage
Shows the purpose that the key belonging to the certificate is used for, e.g. to verify
digital signatures.
● Extended Key Usage
Shows whether the purpose is additionally restricted, e.g. only to verify signatures of the
CA certificate.
● Key File
Shows the key file.
● Certificate Revocation List 1st URL
Enter the URL with which the revocation list can be called up. Can only be edited if
supported by the certificate.
● Certificate Revocation List 2nd URL
Enter an alternative URL. If the revocation list cannot be called up using the 1st URL, the
alternative URL is used. Can only be edited if supported by the certificate.
● Certificate
Shows the name of the certificate.
● Passphrase
Enter the password for the certificate. Can only be edited if the encrypted file is password
protected.
● Passphrase Confirmation
Enter the password again. Can only be edited if the encrypted file is password protected.
4.9.5 Firewall
4.9.5.1 General
On this WBM page, you enable the firewall.
Note
Please remember that if you disable the firewall, your internal network is unprotected.
Description
The page contains the following:
● Activate Firewall
When enabled, the firewall is active.
● TCP Idle Timeout [s]
Enter the required time in seconds. If no data exchange takes place, the TCP connection
is terminated automatically when this time has elapsed.
The range of values is 1 to 21474836.
Default setting: 86400 seconds
● UDP Idle Timeout [s]
Enter the required time in seconds. If no data exchange takes place, the UDP connection
is terminated automatically when this time has elapsed.
The range of values is 1 to 21474836.
Default setting: 300 seconds
● ICMP Idle Timeout [s]
Enter the required time in seconds. If no data exchange takes place, the ICMP
connection is terminated automatically when this time has elapsed.
The range of values is 1 to 21474836.
Default setting: 300 seconds
Description
● Interface
Interface to which the setting relates. The list of interfaces/subnets is dynamic and is
based on the settings from "Layer 3 > Subnet".
– VLANx: Allows access from the IP subnet to the device.
● Access over the firewall is permitted to the following IPv4 services:
– All
All predefined IPv4 services
– HTTP
For access to Web Based Management.
– HTTPS
For secure access to Web Based Management.
Note
HTTP and HTTPS deactivated
If you disable HTTP and HTTPS, the WBM of the device can no longer be reached.
HTTPS disabled
When you disable HTTPS, you can only access the WBM using HTTP. This assumes
that "HTTP & HTTPS" is set in "System > Configuration > HTTP Services". If for
example "Redirect HTTP to HTTPS" is set, access via HTTP cannot be redirected to
HTTPS. This means that the WBM of the device can no longer be reached.
– DNS
DNS queries to the device. Necessary only if the "DNS-Relay" function is enabled on
the device.
– SNMP
Incoming SNMP connections. Required, for example, to access the SNMP information
of the device using an MIB browser or SINEMA Server.
– Telnet
For unencrypted access to the CLI.
– IPSec VPN
Allows IKE (Internet Key Exchange) data transfer from the external network to the
device. Necessary if an IPsec VPN remote station needs to establish a connection to
this device.
– SSH
For encrypted access to the CLI.
– DHCP
Access to the DHCP server or the DHCP client
– Ping
Access to the ping function
– System time
Access to NTP and SNTP.
4.9.5.3 User-specific
On this page, you define user-specific rule sets. Firewall rules that are required for remote
access, for example, can be summarized with a rule set.
You can assign a rule set to one or more users. If login of this user was successful, the
firewall rule set intended for this user is enabled.
A timer is started after login. When the time expires, the user is automatically logged out
from the device.
Description
4.9.5.4 IP services
On this WBM page, you define IP services. Using the IP service definitions, you can define
firewall rules for specific services. You select a name and assign the service parameters to
it. When you configure the IP rules, you simply use this name.
Description
The page contains the following:
● Service Name
Enter the name of the IP service. The name must be unique.
This table contains the following columns:
● Select
Activate the check box in the row to be deleted.
● Service Name
Shows the name of the IP service.
● Transport
Specify the protocol type.
– UDP
The rule applies only to UDP frames.
– TCP
The rule applies only to TCP frames.
Description
The page contains the following:
● Service Name
Enter a name for the ICMP service. The name must be unique.
The table contains the following columns:
● Select
Select the check box in the row to be deleted.
● Service Name
Shows the name of the ICMP service.
● Protocol
Shows the version of the ICMP protocol.
● Type
Specify the ICMP packet type. A few examples are shown below:
– Destination Unreachable
IP frame cannot be delivered.
– Time Exceeded
Time limit exceeded
– Echo-Request
Echo request, better known as ping.
● Code
The code describes the ICMP packet type in greater detail. The selection depends on the
selected ICMP packet type.
With "Destination Unreachable", for example "Code 1" host cannot be reached.
4.9.5.6 IP protocols
On this WBM page, you can configure user-defined protocols, e.g. IGMP for multicast
groups. You select a protocol name and assign the service parameters to it. When you
configure the IP rules, you simply use this protocol name.
Description
The page contains the following:
● Protocol Name
Enter a name for the protocol.
Procedure
Create IGMP protocol
1. Enter IGMP in "Protocol Name".
2. Click the "Set Values" button. A new entry is generated in the table.
3. Enter "2" in "Protocol Number".
4.9.5.7 IP rules
On this WBM page, you specify your own IP rules for the firewall.
The IP rules set here have priority:
● Over the predefined IPv4 rules and
● Over the IP rules created automatically due to a connection configuration (SINEMA RC).
Description
● IP Version
The version of the IP protocol.
● Rule set
Select the required rule set. Only the IP rules that are assigned to this rule set will then be
displayed in the table, provided that "Show all" is disabled.
● Show all
When enabled, all available IP rules are displayed. With the "Assign" setting, you assign
an IP rule to the selected rule set.
The table contains the following columns:
● Select
Activate the check box in the row to be deleted.
● Protocol
Shows the version of the IP protocol.
● Action
Select how incoming IP packets are handled:
– "Accept" - The data packets can pass through.
– "Reject" – The data packets are rejected, and the sender receives a corresponding
message.
– "Drop" – The data packets are discarded without any notification to the sender.
● From / To
Specify the communications direction of the IP rule.
– VLANx: VLANs with configured subnet
– Device: Device
– ppp0 or usb0 (only with M876-4): WAN interface
– SINEMA RC: Connection to SINEMA RC Server
– IPsec: Either all IPsec VPN connections (all) or a specific IPsec VPN connection
● Source (Range)
Enter the IP address or an IP range that is allowed to receive IP packets.
– Individual IP address:
Enter the IPv4 address.
– IP range
Specify the range with the start address "-" end address, e.g. 192.168.100.10 -
192.168.100.20.
– All IP addresses
Specify "0.0.0.0/0".
– DYNAMIC
If the rule set is activated by a user, the placeholder DYNAMIC is replaced by the IP
address of the end device used.
Note
Digital input and DYNAMIC placeholder
If the rule set is executed by controlling the digital input, the placeholder DYNAMIC is
replaced by the setting for "Dynamic Source (Range)". You configure the setting in
"Security > Firewall > User-specific".
Destination (Range)
Enter the IP address or an IP range that is allowed to receive IP packets.
– Individual IP address:
Enter the IPv4 address.
– IP range
Specify the range with the start address "-" end address, e.g. 192.168.100.10 -
192.168.100.20.
– All IP addresses
Specify "0.0.0.0/0".
● Service
Select the service or the protocol name for which this rule is valid.
● Log
Specify whether or not there should be a log entry every time the rule comes into effect
and specify the severity of the event.
The following settings are available:
– none
The rule coming into effect is not logged.
– info / warning / critical
The rule coming into effect is logged with the selected event severity. The log file is
displayed in "Information" > "Log Tables" > "Firewall Log".
● Precedence
In ascending order starting with 0, you define the sequence in which the IP rules of the
firewall are processed.
● Assign
To assign the IP rules to the selected rule set, activate the setting for the desired rule set
and click the "Set Values" button.
● Assigned
Shows the rule set to which this IP rule is assigned. The IP rules can also be assigned to
multiple rule sets. If the IP rule is assigned to all rule sets, "all" is displayed.
● Name
Shows who created the IP rule.
– NETMAP - automatically created firewall rule
4.9.6.1 General
On the WBM page, you configure the basic settings for VPN.
Description
The page contains the following:
● Activate IPsec VPN
Enable or disable the IPsec protocol for VPN.
● Enforce strict CRL Policy
When enabled, the validity of the certificates is checked based on the CRL (Certificate
Revocation List). The certificate revocation list lists the certificates issued by the
certification authority that have lost their validity before the set expiry date. You configure
the certificate revocation list to be used on the WBM page "Certificates (Page 279)".
● NAT Keep Alive Time Interval
Specify the interval at which sign of life frames (keepalives) are sent. If there is a NAT
device between two VPN endpoints, when there is inactivity, the connection is deleted
from its dynamic NAT table. To prevent this, keepalives are sent.
Description
The page contains the following:
● Remote End Name
Enter the name of the remote station and click "Create" to create a new remote station.
This table contains the following columns:
● Select
Select the check box in the row to be deleted.
● Name
Shows the name of the partner.
● Remote Mode
Specify the role the remote stations will adopt.
– Roadwarrior
The reachable remote addresses are entered. The reachable remote subnets are
learned from the partner.
– Standard
The reachable remote address and the reachable remote subnets are entered
permanently.
● Remote Type
Specify the type of remote station address.
– Manual
The address of the partner is known. The device can either establish the VPN
connection actively as a VPN client or wait passively for connection establishment by
the partner.
– Any
Accepts the connection from remote stations with any IP address address. The device
can only wait for VPN connections but cannot establish a VPN tunnel as the active
partner.
● Remote Address
Can only be edited with the remote type "Manual".
– In standard mode, enter the WAN IP address or the DDNS hostname of the partner.
The network mask is always 32
– In Roadwarrior mode, you can specify either the address of the partner or enter an IP
range from which connections will be accepted.
● Remote Subnet
– In standard mode, enter the remote subnet of the remote station. Use the CIDR
notation.
– In Roadwarrior mode, the remote address informs the device of its reachable subnets
and the device learns them.
● Virtual IP Mode
Specify whether or not the remote station is offered a virtual IP address.
The following options are available:
– User defined IPv4
The virtual IP address is from the band specified in "Virtual IP".
– None
No virtual IP address. The VPN tunnel is established dynamically to the internal IP
address of the remote station.
● Virtual IP
Specify the subnet (CIDR) from which the remote station is offered a virtual IP address.
Can only be edited if "user defined IPv4" is selected in "Virtual IP Mode".
Procedure
Configure VPN standard mode
1. Enter the name of the remote station in "Remote End Name".
2. Click the "Create" button. A new entry is generated in the table.
3. For "Remote Mode", select "Standard".
4. For "Remote Type", select "manual".
5. In "Remote Address", enter the WAN IP address and in "Remote Subnet" the subnet of
the remote station.
6. Click the "Set Values" button.
4.9.6.3 Connections
On the WBM page, you configure the basic settings for the VPN connection. With these
settings, the device (local endpoint) can establish a secure VPN tunnel to the partner. You
specify the security settings on the WBM page "Authentication".
Note
Several IPsec VPN connections via the same VPN endpoint
If you have created IPsec VPN connections to different remote subnets via the same VPN
endpoint, the first configured VPN connection (lowest index) is the main connection (parent).
Via the main connection all other IPsec VPN connections (children) are created and
established. If all VPN tunnels are now established and the main (parent) connection is
terminated all child connections are interrupted. After the DPD timeout has expired, all IPsec
VPN connections are reestablished via the main connection.
If only one child connection is terminated, the parent connection and the other child
connections are retained.
Note
IPsec: Restrictions for phase 2 connections
Create a maximum of 20 phase 2 connections per phase 1 (remote endpoint).
Note
If you use "NETMAP"
• only auto firewall rules are supported
• For "Operation" the setting "on demand" cannot be selected.
Description
The page contains the following boxes:
● Connection name
Enter a name for the VPN connection and click "Create" to create a new connection.
This table contains the following columns:
● Select
Select the check box in the row to be deleted.
● Name
Shows the name of the VPN connection.
● Operation
Specify who establishes the VPN connection. You will find more detailed information in
"Technical basics > VPN connection establishment (Page 59)".
– Disabled
The VPN connection is disabled.
– start
The device attempts to establish a VPN connection to the partner.
– wait
The device waits for the remote station to initiate the connection establishment.
– on demand
The VPN connection is established when necessary.
– start on DI
If the event "Digital In" occurs the device attempts to establish a VPN connection to
the remote station.
This is on condition that the event "Digital In" is forwarded to the VPN connection. To
do this in "System > Events > Configuration" activate "VPN Tunnel" for the "Digital In"
event.
– wait on DI
If the event "Digital In" occurs, the device waits for the remote station to initiate
connection establishment.
This is on condition that the event "Digital In" is forwarded to the VPN connection. To
do this in "System > Events> Configuration" activate "VPN Tunnel" for the "Digital In"
event.
● Keying Protocol
Specify whether IKEv2 or IKEv1 will be used.
● Remote End
Select the required remote station. Only partners can be configured that have been
configured on the "Remote End" WBM page.
● Local Subnet
Enter the local subnet. Use the CIDR notation. The local network can also be a single PC
or another subset of the local network.
● Request Virtual IP
When enabled, a virtual IP address is requested from the remote station during
connection establishment.
● Timeout [sec]
Only necessary with the “on demand" setting. Enter the interval after which the VPN
connection will be terminated. If no packets are sent during this time, the VPN connection
is automatically terminated.
4.9.6.4 Authentication
On this WBM page, you specify how the VPN connection partners authenticate themselves
with each other.
Description
This table contains the following columns:
● Name
Shows the name of the VPN connection to which the settings relate.
● Authentication
Select the authentication method. For the VPN connection, it is essential that the partner
uses the same authentication method.
– Disabled
No authentication method is selected. Connection establishment is not possible.
– Remote Cert
The remote certificate is used for authentication. You specify the certificate in "Remote
Certificate"
– CA Cert
The certificate of the certification authority is used for authentication. You specify the
certificate in "CA Certificate".
– PSK
A key is used for authentication. You configure the key in "PSK".
● CA Certificate
Select the certificate. Only loaded certificates can be selected.
● Local Certificate
Select the machine certificate.
You load the certificates on the device with "System > Load&Save". The loaded
certificates and key files are shown on the WBM page "Security > Certificates".
● Local ID
Enter the local ID from the partner certificate. Only when you use the partner certificate
can you leave the box empty. The box is automatically filled with the value from the
partner certificate.
● Remote Certificate
Select the remote station certificate. Only loaded remote certificates can be selected.
You load the certificates on the device with "System > Load&Save". The loaded
certificates and key files are shown on the WBM page "Security > Certificates".
● Remote ID
Enter the "Distinguished Name" or "Alternate Name" from the partner certificate. Only
when you use the partner certificate can you leave the box empty. The box is
automatically filled with the value from the partner certificate.
● PSK
Enter the key.
● PSK Confirmation
Repeat the key.
4.9.6.5 Phase 1
Description
The table contains the following columns:
● Name
Shows the name of the VPN connection to which the settings relate.
● Default Ciphers
When enabled, a preset list is transferred to the VPN connection partner during
connection establishment. The list contains a combination of the three algorithms
(Encryption, Authentication, Key Derivation). To establish a VPN connection, the VPN
connection partner must support at least one of the combinations. The selection depends
on the key exchange method. Additional information can be found in the section "IPsec
VPN".
● Encryption
For phase 1, select the required encryption algorithm. Can only be selected if "Default
Ciphers" is disabled.
The selection depends on the key exchange method. Additional information can be found
in the section "IPsec VPN".
Note
The AES modes CCM and GCM contain separate mechanisms for authenticating data. If
you use a mode AES x CCM for "Encryption", this is also used for authentication. Then
only the pseudo random function will be derived from the "Authentication" parameter. So
that a VPN connection can be established, all devices need to use the same settings.
● Authentication
Specify the method for calculating the checksum. Can only be selected if "Default
Ciphers" is disabled.
The following methods are supported:
– MD5
– SHA1
– SHA512
– SHA256
– SHA384
● Key derivation
Select the required Diffie-Hellmann group (DH) from which a key will be generated. Can
only be selected if "Default Ciphers" is disabled.
The following DH groups are supported:
– DH group 1
– DH group 2
– DH group 5
– DH group 14
– DH group 15
– DH group 16
– DH group 17
– DH group 18
● Keying Tries
Enter the number of repetitions for a failed connection establishment. If you enter the
value 0, the connection establishment will be attempted endlessly.
● Lifetime [min]
Enter a period in minutes to specify the lifetime of the authentication. When the time has
elapsed, the VPN endpoints involved must authenticate themselves with each other again
and generate a new key
● DPD
When enabled, DPD (Dead Peer Detection) is used. Using DPD, it is possible to find out
whether the VPN connection still exists or whether it has aborted.
Note
Sending DPD queries increases the amount of data sent and received. This can lead to
increased costs.
Note
To avoid unwanted connection breakdowns, set the DPD timeout significantly higher than
the DPD period. We recommend setting it at least 2 minutes longer than the DPD period.
● Aggressive Mode
– Disabled:
Main Mode is used.
– Enabled
Aggressive Mode is used
The difference between main and aggressive mode is the "identity protection" used in
main mode. The identity is transferred encrypted in main mode but not in aggressive
mode.
4.9.6.6 Phase 2
Description
This table contains the following columns:
● Name
Shows the name of the VPN connection to which the settings relate.
● Default Ciphers
When enabled, a preset list is transferred to the VPN connection partner during
connection establishment. The list contains a combination of the three algorithms
(Encryption, Authentication, Key Derivation). To establish a VPN connection, the VPN
connection partner must support at least one of the combinations. Further information can
be found in the section "IPsec VPN".
● Encryption
For phase 2, select the required encryption algorithm. Can only be selected if "Default
Ciphers" is disabled.
Further information can be found in the section "IPsec VPN".
Note
The AES modes CCM and GCM contain separate mechanisms for authenticating data. If
you use a mode AES x CCM or AES x GCM for "Encryption", this will also be used for
authentication. Then only the pseudo random function will be derived from the
"Authentication" parameter.
● Authentication
Specify the method for calculating the checksum. Can only be selected if "Default
Ciphers" is disabled.
The following methods are supported:
– MD5
– SHA1
– SHA512
– SHA256
– SHA384
● Key Derivation
Select the required Diffie-Hellmann group (DH) from which a key will be generated. Can
only be selected if "Default Ciphers" is disabled.
The following DH groups are supported:
– None: For phase 2, no separate keys are exchanged. This means that Perfect
Forward Secrecy (PFS) is disabled.
– DH group 1
– DH group 2
– DH group 5
– DH group 14
– DH group 15
– DH group 16
– DH group 17
– DH group 18
Note
So that a VPN connection can be established, all devices need to use the same settings
or provide compatible key procedures..
● Lifetime [min]
Enter a period in minutes to specify the lifetime of the agreed keys. When the time
expires, the key is renegotiated.
● Lifebytes
Enter the data limit in bytes that specifies the lifetime of the agreed key. When the data
limit is reached, the key is renegotiated.
● Protocol
Specify the protocol for which the VPN connection is valid e.g. UDP, TCP, ICMP. If the
setting is intended to apply to all protocols, enter "*".
● Port (Range)
Specify the port via which the VPN tunnel can communicate. The setting applies
specifically to the specified port
– If the setting is intended to apply to a port range, enter the range with start port "-" end
port, for example 30 - 40.
– If the setting is intended to apply to all ports, enter "*".
The setting is only effective for port-based protocols.
● Auto Firewall Rules
– enabled
The firewall rules are created automatically for the VPN connection.
– disabled
You will need to create the firewall rules yourself.
4.9.7.1 General
On this WBM page, you enable the OpenVPN client.
Description
The page contains the following:
● Activate OpenVPN Client
Enable or disable the OpenVPN client.
4.9.7.2 Connections
On this WBM page, you configure the basic settings for the OpenVPN connection. You
specify the security settings on the WBM page "Authentication".
Description
● Connection name
Enter a unique name for the OpenVPN connection and click "Create" to create a new
connection.
The table contains the following columns:
● Select
Select the check box in the row to be deleted.
● Name
Shows the name of the OpenVPN connection.
● Operation
Specify how the connection is established. You will find more detailed information in
"Technical basics > VPN connection establishment (Page 59)".
– start
The device attempts to establish a VPN connection to the partner.
– Start on DI
If the event "Digital In" occurs the device attempts to establish a VPN connection to
the remote station.
This is on condition that the event "Digital In" is forwarded to the VPN connection. To
do this in "System > Events> Configuration" activate "VPN Tunnel" for the "Digital In"
event.
– Disabled
The VPN connection is disabled.
● Encryption
Select the required encryption algorithm.
– AES-128-CBC (Default)
– AES-192-CBC
– AES-256-CBC
– DES-EDE3
– BF-CBC
● Authentication
Specify the method for calculating the checksum.
– SHA256 (default)
– SHA384
– SHA512
– SHA224
– SHA1
– MD5
● Use LZO
When enabled, the data is compressed with the LZO algorithm.
4.9.7.3 Remote
On this WBM page, you configure the partner (OpenVPN end point). Per connection, you
can specify several OpenVPN partners. The device tries all configured OpenVPN partners
one after the other until a connection is successfully established.
Description
The page contains the following:
● Remote Name
Enter a name for the OpenVPN partner and click "Create" to create a new partner.
This table contains the following columns:
● Select
Select the check box in the row to be deleted.
● Name
Shows the name of the Open VPN partner.
● Connection
Select the corresponding connection. Only connections can be configured that have been
configured on the "Connections" WBM page.
● Remote Address
Enter the WAN IP address or the DNS host name of the OpenVPN partner.
● Port
Specify the port via which the OpenVPN tunnel can communicate. The setting applies
specifically to the specified port.
● Protocol
Specify the protocol for which the OpenVPN connection will be used.
● Proxy
Specify whether the OpenVPN tunnel to the defined OpenVPN partner is established via
a proxy server. Only the proxy servers can be selected that you configured in "System >
Proxy Server".
4.9.7.4 Authentication
On this WBM page, you specify how the VPN connection partners authenticate themselves
with each other.
Description
This table contains the following columns:
● Name
Shows the name of the VPN connection to which the settings relate.
● Method
Select the authentication method. For the VPN connection, it is essential that the partner
uses the same authentication method.
– Disabled
No authentication method is selected. Connection establishment is not possible.
– Certificates
Certificates are used for the authentication.
– User name/Password
The user name/password are used for the authentication.
● CA Certificate
Select the certificate. Only loaded certificates can be selected.
You load the certificates on the device with "System > Load&Save". The loaded
certificates and key files are shown on the WBM page "Security > Certificates".
● Machine certificate
Select the machine certificate. Only loaded certificates can be selected.
You load the certificates on the device with "System > Load&Save". The loaded
certificates and key files are shown on the WBM page "Security > Certificates".
● User Name
Specify the user name.
● Password
Enter the password.
● Password Confirmation
Confirm the password.
NOTICE
Do not remove or insert a PLUG during operation
A PLUG may only be removed or inserted when the device is turned off.
Note
Support as of V4.3
The PRESET-PLUG functionality is supported as of firmware version V4.3.
With the PRESET-PLUG, you can install the same device configuration (start configuration,
user accounts, certificates) including the corresponding firmware on multiple devices.
The PRESET PLUG is write-protected.
You configure the PRESET PLUG using the Command Line Interface (CLI).
Creating a PRESET-PLUG
You create the PRESET PLUG using the Command Line Interface (CLI). You can create a
PRESET-PLUG from any PLUG. To do this, follow the steps outlined below:
Note
Using configurations with DHCP
Create a PRESET-PLUG only from device configurations that use DHCP. Otherwise
disruptions will occur in network operation due to multiple identical IP addresses.
You assign fixed IP addresses extra following the basic installation.
Requirement
● A PLUG is inserted in the device on which you want to configure the PRESET-PLUG
functionality.
Procedure
1. Start the remote configuration using CLI and log on as a user with the "admin" role.
The CLI connection works either with Telnet (port 23) or SSH (port 22).
2. Switch to the global configuration mode with the command "configure terminal".
3. You change to the PLUG configuration mode with the "plug" command.
4. Create the PRESET-PLUG with the "presetplug" command.
The firmware version of the device and the current device configuration incl. user
accounts and certificates are stored on the PLUG and the PLUG is then write protected.
5. Turn off the power to the device.
6. Remove the PRESET-PLUG.
7. Start the device either with a new PLUG inserted or with the internal configuration.
Note
KEY-PLUG
If you have created the PRESET-PLUG from a KEY-PLUG, for operation with this
configuration, you require an inserted KEY-PLUG with factory settings.
IN this case before recommissioning the device you need to insert the relevant KEY-
PLUG.
Note
Restore factory defaults and restart with a PRESET PLUG inserted
If you reset a device to the factory defaults, when the device restarts an inserted PRESET
PLUG is formatted and the PRESET PLUG functionality is lost. You then need to create a
new PRESET PLUG. The keys stored on the KEY-PLUG for releasing functions are
retained.
We recommend that you remove the PRESET PLUG before you reset the device to the
factory settings.
Requirement
● The device has an IP address.
● The user is logged in with administrator rights.
Result
When the firmware is successfully loaded a dialog is displayed . Confirm the dialog with
"OK". The device is restarted.
In "Information" > "Versions" there is the additional entry "Firmware_Running".
Firmware_Running shows the version of the current firmware. Firmware shows the firmware
version stored after loading the firmware.
Cause
If there is a power failure during the firmware update, it is possible that the device is no
longer accessible using WBM and CLI.
Requirement
● The PC is connected to the device via the interfaces (P1 - P4).
● A TFTP client is installed on the PC and the firmware file exists.
Solution
You can then also transfer firmware to the device using TFTP.
Follow the steps below to load new firmware using TFTP:
1. Now press the SET button.
2. Hold down the button until the red fault LED (F) starts to flash after approximately 3
seconds.
Note
If you hold down the SET button for approximately 10 seconds, the device is reset to its
factory settings and can be reached with the IP address 192.168.1.1.
3. Now release the button. The bootloader waits in this state for new firmware file that you
can download by TFTP.
Note
If you want to exit the boot loader without making changes, press the SET button briefly.
The device restarts with the loaded configuration.
Note
Using TFTP
If you want to access TFTP in Windows 7, make sure that the corresponding Windows
function is enabled in the operating system.
Result
The firmware is transferred to the device.
Note
Please note that the transfer of the firmware can take several minutes. During the
transmission, the red error LED (F) flashes.
Once the firmware has been transferred completely to the device, the device is restarted
automatically.
NOTICE
Previous settings
If you reset, all the settings you have made will be overwritten by factory defaults.
NOTICE
Inadvertent reset
An inadvertent reset can cause disturbances and failures in a configured network with
further consequences.
Note
Additional information about the meaning of the boxes is available in RFC 5424.
https://tools.ietf.org/html/rfc5424
Log text {protocol}: User {user name} logged in from {ip address}.
Standard IEC 62443-3-3 Reference: SR1.1
Description Valid login information that is specified during remote login.
Example WBM: User admin logged in from 192.168.0.1.
Severity Info
Facility local0
Log text {protocol}: Default user {user name} logged in from {ip address}.
Standard IEC 62443-3-3 Reference: n/a (NERC-CIP 007-R5)
Description User logged in with default user name and password.
Example SSH: Default user admin logged in from 192.168.0.1.
Severity Info
Facility local0
Log text {protocol}: User {user name} logged out from {ip address}.
Standard IEC 62443-3-3 Reference: SR1.1
Description User session completed - logged out.
Example SSH: User admin logged out from 192.168.0.1.
Severity Info
Facility local0
Log text {protocol}: User {user name} failed to log in from {ip address}.
Standard IEC 62443-3-3 Reference: SR1.1
Description Incorrect user name or incorrect password (login information) specified during
remote login.
Example SSH: User testuser failed to log in from 192.168.0.1.
Severity Warning
Facility local0
Identification and authentication of device (connection via TIA Portal Cloud Connector)
Log text Cloud Connector:Connection number {config detail} from {ip address} estab-
lished.
Standard IEC 62443-3-3 Reference: SR 1.2
Description A known device requested a connection. (Connection via TIA Portal Cloud Con-
nector)
Example Cloud Connector: Connection number 10 from 192.168.55.111 established.
Severity Info
Facility local0
Log text Cloud Connector: Connection number {config detail} from {ip address} closed.
Standard IEC 62443-3-3 Reference: SR 1.2
Description An unknown device requested a connection. Request was denied. (Connection
via TIA Portal Cloud Connector)
Example Cloud Connector: Connection number 6 from 192.168.55.111 closed.
Severity Info
Facility local0
Log text {protocol}: User {user name} changed password of user {action user name}.
Standard IEC 62443-3-3 Reference: SR1.3
Description User has changed other password.
Example Console: User admin changed password of user test.
Severity Info
Facility local0
Log text {protocol}: User {user name} created user-account {action user name}.
Standard IEC 62443-3-3 Reference: SR1.3
Description The administrator created a new account.
Example WBM: User admin created user-account joachim.
Severity Info
Facility local0
Log text {protocol}: User {user name} deleted user-account {action user name}.
Standard IEC 62443-3-3 Reference: SR1.3
Description The administrator deleted an existing account.
Example WBM: User admin deleted user-account joachim.
Severity Info
Facility local0
Log text User {user name} account is locked for {time} minutes after {failed login count}
unsuccessful login attempts.
Standard IEC 62443-3-3 Reference: SR1.11
Description If there are too many failed logins, the corresponding user account was locked
for a specific period of time.
Example User admin account is locked for 10 minutes after 30 unsuccessful login at-
tempts.
Severity Warning
Facility local0
Log text SINEMA RC - State of Digital Input changed to HIGH. SINEMA RC - OpenVPN
connection established.
Standard IEC 62443-3-3 Reference: SR 1.13
Description Remote access is permitted. (SINEMA RC, Digital Input)
Example SINEMA RC - State of Digital Input changed to HIGH.
SINEMA RC - OpenVPN connection established.
Severity Info
Facility local0
Log text SINEMA RC - State of Digital Input changed to LOW. SINEMA RC - OpenVPN
terminated.
Standard IEC 62443-3-3 Reference: SR 1.13
Description Remote access denied (SINEMA RC, Digital Input)
Example SINEMA RC - State of Digital Input changed to LOW.
SINEMA RC - OpenVPN terminated.
Severity Info
Facility local0
Log text User specific firewall user "{user name}" activated rule set "{firewall rule}" with ip
address "{ip address}". Timeout is set to {timeout} minutes.
Standard IEC 62443-3-3 Reference: n/a (NERC CIP 005-R2)
Description User has logged onto the user-specific firewall. (USF Digital User Login)
Example User specific firewall user "usf" activated rule set "rs1" with ip address
"172.23.1.14". Timeout is set to 5 minutes.
Severity Info
Facility local0
Log text User specific firewall user "{user name}" activated rule set "{firewall rule}" with ip
address "{ip address}". Timeout is set to {timeout} minutes.
Standard IEC 62443-3-3 Reference: n/a (NERC CIP 005-R2)
Description User has logged onto the user-specific firewall. (USF Digital Input Login)
Example User specific firewall digital input {trigger pin} activated rule set "{firewall rule}"
with ip address "{ip address}".
Severity Info
Facility local0
Log text User specific firewall user "{user name}" ruleset "{firewall rule}" time expired.
Standard IEC 62443-3-3 Reference: SR 2.1
Description Access to the user-specific firewall denied. Access time expired. (USF User
Logout)
Example User specific firewall user "usf" ruleset "rs1" time expired.
Severity Warning
Facility local0
Log text User specific firewall user "{user name}" logged out by administrator configura-
tion.
Standard IEC 62443-3-3 Reference: SR 2.1
Description Access to the user-specific firewall denied. The device administrator deactivates
the user using the "Force Deactivate" button. (USF user force log out by admin)
Example User specific firewall user "usf" logged out by administrator configuration.
Severity Warning
Facility local0
Log text User specific firewall user "{user name}" deactivated by administrator configura-
tion.
Standard IEC 62443-3-3 Reference: SR 2.1
Description Access to the user-specific firewall denied. The device administrator has deac-
tivated the user. (USF user deactivated by admin)
Example User specific firewall user "usf" deactivated by administrator configuration.
Severity Warning
Facility local0
Log text User specific firewall digital input {trigger pin} deactivated rule set "{firewall
rule}".
Standard IEC 62443-3-3 Reference: SR 2.1
Description Access to the user-specific firewall denied; corresponding rule set was deac-
tivated. (USF Digital Input Logout)
Example User specific firewall digital input 1 deactivated rule set "rs1".
Severity Warning
Facility local0
Session lock
Log text The session of user {user name} was closed after {time} seconds of inactivity.
Standard IEC 62443-3-3 Reference: SR2.5
Description The current session was locked due to inactivity.
Example The session of user admin was closed after 60 seconds of inactivity.
Severity Warning
Facility local0
Log text [JOB] <{connection name}|{config detail}> deleting CHILD_SA after {time sec-
ond} seconds of inactivity
Standard IEC 62443-3-3 Reference: SR 2.6
Description The remote session was ended after a period of inactivity. (IPsec)
Example [JOB] <to_Baugruppe1|21> deleting CHILD_SA after 20 seconds of inactivity
Severity Info
Facility local0
Log text OVPN_{connection name}[{config detail}]: [{config detail}] Inactivity timeout (--
ping-
restart), restarting
Standard IEC 62443-3-3 Reference: SR 2.6
Description The remote session was ended after a period of inactivity. (OpenVPN)
Example OVPN_c1[26296]: [router] Inactivity timeout (--ping-restart), restarting
Severity Info
Facility local0
Log text {protocol}: The maximum number of {max sessions} concurrent login session
exceeded.
Standard IEC 62443-3-3 Reference: SR2.7
Description The maximum number of parallel connections is exceeded.
Example WBM: The maximum number of 8 concurrent login session exceeded.
Severity Warning
Facility local0
Communication integrity
Log text [IKE] <{connection name}|{config detail}> received invalid DPD sequence num-
ber
{config detail} (expected {config detail}), ignored
Standard IEC 62443-3-3 Reference: SR 3.1
Description Integrity check failed. (IPsec)
Example [IKE] <c1|1> received invalid DPD sequence number 10 (expected 12), ignored
Severity Info
Facility local0
Log text {protocol}: Loaded file type Firmware {version} (restart required).
Standard IEC 62443-3-3 Reference: SR7.4
Description Firmware update was successfully uploaded.
Example TFTP: Loaded file type Firmware V02.00.00 (restart required).
Severity Info
Facility local0
Log text {protocol}: User {user name} loaded file type Firmware {version} (restart re-
quired).
Standard IEC 62443-3-3 Reference: SR7.4
Description Firmware update was successfully uploaded.
Example WBM: User admin loaded file type Firmware V02.00.00 (restart required).
Severity Info
Facility local0
Log text {protocol}: User {user name} loaded file type Config (restart required).
Standard IEC 62443-3-3 Reference: SR7.4
Description The configuration is applied.
Example WBM: User admin loaded file type Config (restart required).
Severity Info
Facility local0
Log text {protocol}: User {user name} loaded file type ConfigPack (restart required).
Standard IEC 62443-3-3 Reference: SR7.4
Description The configuration is applied.
Example WBM: User admin loaded file type ConfigPack (restart required).
Severity Info
Facility local0
A E
Aging E-Mail function, 151
Dynamic MAC Aging, 231 Events, 151
Authentication, 163 Line monitoring, 151
Available system functions, 20 Error status, 99
B F
Basic Wizard Factory defaults, 317
Starting, 73 Factory setting, 317
Bridge, 109, 233 Fault monitoring
Bridge priority, 109, 233 Connection status change, 186
Root bridge, 109, 233 Forward Delay, 110, 234
Bridge Max Age, 110, 234
Bridge Max Hop Count, 110
button, 183 G
Geographic coordinates, 128
Glossary, 4
C
Groups, 269
CA certificate, 53
Certificates, 280
Configuration H
PPP, 221
Hardware Revision, 92
Configuration manuals, 317
Hello time, 110, 234
Configuration mode, 125
CoS (Class of Service), 38
C-PLUG, 25
I
Formatting, 190
Saving the configuration, 190 ICMP, 36
Information
ARP table, 93
D Groups, 121
Hardware, 91
DCP Discovery, 195
IPsec VPN, 105
DCP server, 123
LLDP, 102
Dead peer detection, 58
Log table, 94, 98
Device
OpenVPN client, 108
Basic Wizard, 76
Role, 120
System, 126
Security, 116, 119
Device certificate, 53
Security log, 96
DHCP
SINEMA RC, 106
Client, 201
SNMP, 101, 102
DST
Software, 91
Daylight saving time, 167, 169
Spanning tree, 111